What happened
A threat actor operating under the name “Jeffrey Epstein” has allegedly listed a dataset of approximately 400,000 Bol.com customer records for sale on a cybercrime forum. The claim was surfaced by Dark Web Informer on April 20, 2026. The seller asserts the data pertains to customers from Belgium and includes names, addresses, dates of birth, usernames, email addresses, phone numbers, last login dates, and identification numbers, though the exact nature of those identifiers is unclear. The seller also claims Bol.com serves approximately 14 million customers total.
Bol.com, the Netherlands’ largest e-commerce platform, said it has no indications of a security incident. The company confirmed it is investigating the report but stated its systems are functioning normally and that there are no signs pointing to a hack, data breach, or ransomware attack. No independent verification of the dataset’s authenticity or origin has been published.
Who is affected
The alleged dataset specifically targets Belgian customers of Bol.com. If authentic, the exposed personal and account-level data would put those individuals at elevated risk of phishing, account takeover attempts, and identity fraud. The platform’s broader customer base of 14 million across the Netherlands and Belgium is not claimed to be affected, though Bol.com has not yet confirmed or denied the validity of the data.
Why CISOs should care
Bol.com’s denial is notable, but it doesn’t close the question. Datasets circulating on cybercrime forums don’t always originate from recent breaches. They can be aggregated from older incidents, purchased from other sources, or partially fabricated. The harder question for security leaders is not whether Bol.com was breached, but whether the data being sold is real and actionable for attackers regardless of where it came from. If it is, the downstream risk to affected customers is the same either way.
This case is also a reminder that dark web listings about your organization or your vendors can surface before any internal detection picks them up. Proactive monitoring of these channels is increasingly a standard expectation.
3 practical actions
- Monitor dark web forums for mentions of your organization and your key vendors: Threat intelligence coverage that includes cybercrime marketplace listings gives you earlier warning of potential data exposure than waiting for internal detection or public disclosure.
- Prepare a rapid assessment process for unverified breach claims: When a listing appears and your systems show no signs of compromise, you still need a defined process to verify the data’s authenticity quickly, including sampling checks and coordination with threat intelligence partners.
- Review customer notification and regulatory obligations under GDPR for unconfirmed incidents: European data protection regulators expect organizations to assess potential incidents even when a breach is not yet confirmed. Having a defined threshold and process for when to notify authorities is essential, especially for platforms with millions of EU customers.
For more news about incidents involving exposure of personal and sensitive records, click Data Breach to read more.