Logo for Banorte

In August 2022, millions of records from Mexican bank “Banorte” were publicly dumped on a popular hacking forum including 2.1M unique email addresses, physical addresses, names, phone numbers, RFC (tax) numbers, genders and bank balances. Banorte have stated that the data is “outdated”, although have not yet indicated how far back it dates to. Anecdotal feedback from HIBP subscribers suggests the data may date back 8 years to 2014.

Apparently the bank tried to contain the breach by a cease and desist letter. That did not work as you can read on KrebsonSecurity:

The administrator responded to this empty threat by purchasing the stolen banking data and leaking it on the forum for everyone to download.

Banorte claims this breach is not so bad because the data is outdated. That means that for some people it may be partially (or completely) wrong, but for many people the data is accurate and still valuable to cybercriminals that will likely use it in spray-and-pray attacks for identity theft, bank fraud, etc.

Troy Hunt covers it in his podcast (starting at 42:39 and until 49:15):

This tweet contains a screenshot that reads:

With regards to the publication of a supposedly database belonging to Banorte, we inform you that:

  1. No vulnerability to our platforms and technological infrastructure has been presented.
  2. The set of information that is referred is inexact and out of date and doesn’t put our users and clients at risk.

Banorte is dedicated to the security of our clients and the integrity of your information.

Pepe Flores correctly points that changing your home address, email, phone or RFC number isn’t easy. 10 year old databases with that information are still valuable.



Accounts breached: 2107000

Breached on: August 18, 2014

Exposed data: Account balances, Email addresses, Genders, Government issued IDs, Names, Phone numbers, and Physical addresses

Domain: banorte.com

Added on: August 18, 2022

%d bloggers like this: