More than 1.8 million customers of Naturgy could be affected by an alleged security breach that would have allowed the exfiltration of a large database. The incident would involve the exposure of sensitive financial and operational information linked to energy supplies in Spain, compromise user privacy, and put their economic assets at risk.
Scope and content of the leaked data
The magnitude of the attack is estimated at around an extraction of approximately 74.2 gigabytes of information. Among the compromised records are first names, last names, identification numbers such as DNI or NIF, as well as email addresses and mobile phone numbers. The data would also include critical financial details with full IBAN numbers, SEPA contract specifications, and signing dates, which amplifies the risk for users.
The set of exposed files also covers technical information relating to supplies, identifying CUPS codes for electricity and gas along with detailed physical addresses including street, number, floor, and postal code. Internal operational data such as service activation dates, contracted tariffs, associated products, and reserved company notes would have been leaked.
Identification of the responsible party and sectoral context
The authorship of the incident is attributed to a known actor in the energy sector under the designation of "spain", who has already registered their activity in other previous attacks. As a demonstration of the real scope of the infiltration, the alleged perpetrator allegedly published a random sample that apparently contains verified records of a thousand clients, serving as a proof of concept of the validity of the stolen data.
This same group would have been responsible for a leak against Endesa that affected 20 million people, including customers and former customers. In January, information relating to 300,000 customers was published after the company refused to meet their financial demands, consolidating a pattern of extortion and mass publication of sensitive databases targeting the electricity sector.
The situation is framed within a wave of recent vulnerabilities in the sector. Iberdrola acknowledged a leak in its marketer Zirconite that compromised 20,000 current and 130,000 former customers. In that case, a hacker accessed similar information including names, tax identifications, locations, and bank accounts, evidencing the persistence of threats targeting critical infrastructures.
Naturgy has not yet issued any official statement confirming the exact origin of the breach or detailing the measures taken to mitigate the impact. The circulation of information responds to a cyber intelligence alert dated April 30, 2026, which classified the event with a critical alert tag regarding a massive data exfiltration. Authorities maintain active surveillance while those affected monitor their accounts for possible fraud attempts resulting from the exposure of personal and banking information.