Flash Report: Spanish Energy Company Breached

Key Findings

• On January 4, 2026, actor “spain” announced on the dark web forum BreachForums that they had breached Endesa, a Spanish energy company. On January 5, 2026, actor “glock” posted the same advertisement on the dark web forum DarkForums. ZeroFox assesses it is almost certain these personas are being operated by the same threat actor.
• According to spain/glock, the sales post was approved by both forums’ moderation teams, and the data was verified, likely lending significant credibility to the post.
• Endesa confirmed in a statement that a threat actor gained unauthorized and illegitimate access to its systems and extracted sensitive personally identifiable information (PII).
• It is almost certain that the advertisements on the dark web forums will attract significant attention from potential buyers, especially considering that Endesa has confirmed the breach.

Details

On January 4, 2026, newly registered and unvetted actor spain announced on the dark web forum BreachForums that they had breached Endesa, a Spanish energy company. The actor claimed to have full access to all data stored by the company; they also claimed that this was a new breach and that they are the sole actor in possession of the data. Endesa subsequently confirmed that it had been breached.¹

• On January 5, 2026, newly observed and unvetted actor “glock” posted the same advertisement on the dark web forum DarkForums. Both actors have the same profile picture and are almost certainly the same individual. Spain/glock was very likely attempting to enhance circulation of the advertisement to attract more potential buyers.
• Spain joined BreachForums in January 2026, and glock joined DarkForums in September 2025; neither persona has accumulated a positive reputation on the respective forums.
• Endesa is reportedly one of Spain’s largest gas and electricity companies and documented a nine-month revenue of approximately EUR 16 billion from January to September 2025.²

According to spain/glock, the sales post was approved by both forums’ moderation teams, and the data was verified, likely lending significant credibility to the post. The full dataset reportedly contains information pertaining to more than 20 million Spanish residents and exceeds 1 TB in size. The price is reportedly negotiable, and the actor stated that they will only sell to one person via escrow.

• The dataset allegedly contains highly sensitive PII related to both customers and internal company business information.
• Among the most sensitive data are potential Foreigner Identity Numbers (NIEs), national ID numbers, names, emails addresses, International Bank Account Numbers (IBANs), phone numbers, and other personal details.

Endesa confirmed in a statement that a threat actor gained unauthorized and illegitimate access to its systems and extracted sensitive PII; however, online passwords were reportedly not extracted.³ Endesa also warned customers that, although it had not detected any mishandling of the compromised data, it could be used for identity fraud and social engineering campaigns.

• In February 2024, the Spanish Data Protection Agency (AEPD) fined Endesa EUR 6.1 million for General Data Protection Regulation (GDPR) violations following a security breach in 2024 that likely exposed customer data.⁴

It is almost certain that the advertisements on the dark web forums will attract significant attention from potential buyers, especially considering that Endesa has confirmed the breach. Threat actors will very likely seek to use the data for social engineering—such as phishing or smishing (SMS phishing)—and identity fraud campaigns for financial gain.

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 7:00 AM (EST) on January 12, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

1. hXXps://www.telemadrid[.]es/noticias/economia/Hackeo-a-Endesa-Energia-compromete-datos-sensibles-de-millones-de-clientes-0-2852114765--20260112104854.html
2. hXXps://www.endesa[.]com/en/press/press-room/news/economic-information/september-2025-results
3. hXXps://www.europapress[.]es/portaltic/ciberseguridad/noticia-hackeo-endesa-energia-compromete-datos-sensibles-clientes-incluidos-dni-medios-pago-20260112100753.html
4. hXXps://www.dataguidance[.]com/news/spain-aepd-fines-endesa-energ%C3%ADa-61m-data-protection