A threat actor calling themselves "Aleksey_Petrov" began offering data from an alleged TranzactCard breach on BreachForums starting January 28th. The seller claims to possess records for approximately 32,000 user accounts and 48,000 credit card numbers.

The posted data dump includes email addresses, usernames for both Digital Branch Owners (DBOs) and customers, card details, purchased gift card information, phone numbers, passwords, and IP addresses. "Aleksey_Petrov" also asserts the package contains TranzactCard's backend database credentials and website login details, though these specific items may now be invalid. A sample of the alleged breach data was posted on JustPaste, but its authenticity remains unconfirmed by TranzactCard.

TranzactCard, a financial technology company, promotes a "digital bank" model. It operates through independent DBOs who recruit customers. This structure positions DBOs as a critical user group within the company's operational framework, making their potentially compromised data particularly sensitive.

TranzactCard has not publicly acknowledged the alleged breach. The company's press section on its website shows no updates since October 2023. Its official Facebook page has been inactive since January 23rd, and a Twitter profile linked from TranzactCard's website no longer exists. This silence leaves customers and DBOs without official guidance or confirmation regarding the threat.

The exposure of such extensive personal and financial data carries significant risks. Compromised credit card and gift card details can lead to direct financial theft. Passwords, if reused on other platforms, open users to account takeovers across multiple services. Email addresses and phone numbers are valuable for targeted phishing campaigns, while IP addresses can aid in identity verification bypasses. The alleged backend credentials, if valid, could grant deeper access to TranzactCard's systems, posing a severe operational risk beyond individual user data.

Data breaches involving personal financial information typically trigger specific notification requirements under various state and federal laws, such as the California Consumer Privacy Act (CCPA) and other state data breach statutes. The Federal Trade Commission (FTC) often investigates such incidents, focusing on companies' data security practices and their response to breaches.

Affected individuals are generally advised to immediately change passwords on all relevant accounts, enable two-factor authentication where available, and monitor credit reports for suspicious activity. They should also contact their banks and credit card companies to report potential fraud. Potential victims can find resources on identity theft prevention and recovery from the FTC at IdentityTheft.gov.