CTT Breach: 468K Emails, Names & Phones Exposed (2026)
In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum . The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel.
Overview
In April 2026, a dataset allegedly stolen from CTT (Correios de Portugal), Portugal’s national postal service, was posted to a public hacking forum. The breach exposed approximately 468,124 unique email addresses, along with names, phone numbers, and parcel tracking numbers. The tracking numbers are of particular concern because they can be used to retrieve parcel delivery history, revealing sensitive details about users’ shipping habits and locations. The breach was reported to Have I Been Pwned, making it easy for affected customers to verify if their data was compromised.
What Was Exposed
The exposed data includes:
- Email Addresses – Primary account identifiers used for login and communication.
- Names – Full names linked to postal service accounts.
- Phone Numbers – Direct contact information.
- Parcel Tracking Numbers – These can reveal delivery routes, sender and recipient addresses, and parcel history, which could be used for social engineering or targeted scams.
While no passwords or financial data were directly exposed, the combination of personal identifiers makes this a HIGH severity incident. Attackers can use email addresses and phone numbers for phishing campaigns, while tracking numbers enable more sophisticated fraud, such as impersonating CTT support to request “delivery verification” or “customs fees.”
How the Breach Happened
The exact attack vector has not been publicly confirmed by CTT at this writing. However, the data appearing on a public hacking forum suggests either an insider leak, a compromised database, or a vulnerability in CTT’s customer-facing systems. Given that tracking numbers were included, the breach likely involved a backend system storing customer orders and delivery records, rather than just marketing data.
This incident mirrors other postal service breaches (e.g., Royal Mail, Australia Post) where tracking numbers were used to craft convincing phishing emails about “undelivered packages.” Users should be alert for such campaigns in the coming months.
Risks to Affected Users
- Phishing & Smishing – Attackers can send realistic emails or SMS messages referencing your parcel tracking number, asking you to click a link or call a fake support line.
- Social Engineering – With your name and phone number, scammers can pose as CTT representatives to extract more sensitive information, like payment card details or home addresses.
- Privacy Invasion – Parcel tracking history reveals what you ordered, when, and where it was delivered, potentially exposing purchase habits or embarrassing items.
How to Check If You’re Affected
Visit Have I Been Pwned and enter the email address you used with CTT. If your email appears in the breach, assume your name and phone number are also exposed. CTT may also be notifying affected customers directly. Do not provide additional personal or financial information in response to unsolicited messages.
What to Do Right Now
- Enable Two-Factor Authentication (2FA) on any CTT account that supports it, and on your email account.
- Be skeptical of unsolicited messages mentioning your tracking number. Contact CTT directly via their official website or phone number if you need to verify a delivery.
- Monitor for phishing attempts - delete suspicious emails and SMS messages without clicking. Report them to CTT’s security team.
- Change your CTT account password if you haven’t done so recently, and use a unique password not shared with other services.
Security Insight
This breach underscores a recurring vulnerability across national postal services: the reliance on simple tracking numbers as authentication tokens. While not credentials per se, tracking numbers expose behavioral data - what users buy, where they ship, and when they’re away from home. CTT’s failure to protect these identifiers suggests a broader lack of security hardening in their customer-facing IT infrastructure. Postal services worldwide should adopt tokenized tracking links (expiring, single-use) and enforce multi-factor authentication for account access.
Further Reading
Investigate Breaches Safely with NordVPN
Researching exposed data, paste sites, or threat actor infrastructure? Route your OSINT traffic through a VPN to avoid attribution and keep your investigation IP separate from your corporate network.
Get NordVPN for ResearchAffiliate link — we may earn a commission at no extra cost to you.
Never miss a data breach report
Get real-time security alerts delivered to your preferred platform.
Related Breach Reports
In June 2026, Moody Bible Institute was targeted by a ShinyHunters "pay or leak" extortion campaign . Over 2.3M unique email addresses and other personal data were later published publicly, including names, physical addresses, phone numbers, dates of birth and other information relating to donors, s...
In June 2026, the food distribution company Sysco was targeted by a ShinyHunters "pay or leak" extortion campaign . Data was subsequently published containing 2.7M unique email addresses belonging to staff and customers. The data also contained largely corporate contact information including names, ...
In June 2026, telecommunications tower infrastructure company American Tower was the target of a ShinyHunters "pay or leak" extortion campaign . The group subsequently published data allegedly taken from the company containing more than 200k unique email addresses belonging to employees, contractors...
In March 2026, the financial consulting and advisory firm CFGI was the target of a ShinyHunters "pay-or-leak" extortion campaign . The group subsequently publicised data allegedly obtained from CFGI comprising corporate contact information, including 243k unique email addresses, names, phone numbers...