Polish hacker charged seven years after massive Morele.net data breach

INDUSTRY NEWS 2 min read Polish hacker charged seven years after massive Morele.net data breach Graham CLULEY February 12, 2026 Promo Protect all your devices, without slowing them down. Free 30-day trial A 29-year-old Polish man has been charged in connection with a data breach that exposed the personal details of around 2.5 million customers of the popular Polish e-commerce website Morele.net. Poland's Central Cybercrime Bureau (CBZC) announced that charges were filed on 30 January 2026, following years of investigation into the 2018 breach of Morele.net, that specialises in electronics, computer equipment and home appliances. The high-profile breach of Morele.net, whose international equivalents include the likes of Best Buy, Newegg, and Amazon, sent shockwaves through Poland's online retail sector. The investigation into the data breach had originally been shelved after police failed to identify a suspect, but authorities claim that the trail never went entirely cold. Over time investigators identified the attack vector, reconstructed the sequence of events, and traced digital breadcrumbs back to the alleged hacker - demonstrating their determination in a YouTube video. According to a CBZC press release, the suspect has admitted responsibility for the hack. The cyber attack exposed names, email addresses, phone numbers, home addresses, and md5crypt-hashed passwords. Although payment card details were not compromised in the breach, it was reported that some 35,000 customers did have particularly sensitive information stolen, including national ID numbers, financial details, education information, income, and marital status. Morele.net refused to pay a ransom, and the breached database was published online. Unfortunately for the site's users who had their information breached, fraudsters weaponised the stolen data immediately. Victims reported receiving SMS messages demanding payment of 1 Polish zloty to "complete" their orders, accompanied by phishing links that stole banking credentials. In 2019, in what was one of the country's largest GDPR-related fines at the time, Poland's data protection authority regulator hit Morele.net to the tune of €645,000, claiming that had failed to detect and respond to unusual network traffic. Morele.net contested the fine, arguing that its security measures were reasonable even if they ultimately proved insufficient against a determined attacker, and eventually Poland's Supreme Administrative Court annulled the penalty, saying it had finding deficiencies in the regulator's justification and calculation of the fine. Now, however, it is the alleged hacker who will be hoping he can escape receiving a heavy punishment. If anything, this case serves as a timely reminder to cybercriminals that they should not assume that they have evaded justice just because years have passed since their offence. Digital forensics techniques continue to improve, and law enforcement agencies are increasingly willing to pursue cold cases when new leads emerge. TAGS industry news AUTHOR Graham CLULEY Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s. View all posts RIGHT NOW TOP POSTS SCAM HOW TO Scammer phone number lookup. How to check if a phone number is a scam April 19, 2024 FAMILY SAFETY How to Outsmart AI Voice Scammers Pretending to Be Your Family March 03, 2026 SCAM DIGITAL PRIVACY HOW TO How scammers gain access and hack your WhatsApp account and what you can do to protect yourself May 01, 2024 INDUSTRY NEWS 200,000 naked Snapchat images leaked, after third-party hack October 13, 2014 FOLLOW US ON SOCIAL MEDIA YOU MIGHT ALSO LIKE INDUSTRY NEWS Dutch police arrest man for "hacking" after accidentally sending him confidential files Graham CLULEY February 18, 2026 INDUSTRY NEWS Spanish police say they have arrested hacker who booked luxury hotel rooms for just one cent Graham CLULEY February 20, 2026 INDUSTRY NEWS Notorious ransomware gang allegedly blackmailed by fake FSB officer Graham CLULEY February 26, 2026 BOOKMARKS You have no bookmarks yet. Tap to read it later.