A threat actor has claimed responsibility for an alleged breach of payment technology provider Nayax, asserting that it exfiltrated more than 100TB of internal company data, including payment card information, customer records, source code, financial documents, and internal credentials.
The claims were published on a cybercrime forum alongside a dedicated leak site threatening to release the purportedly stolen data on July 21. At the time of publication, the claims had not been independently verified, and Nayax had not issued any public statement.
Threat actor claims long-term access
According to the forum post, the threat actor allegedly maintained access to Nayax’s environment for nearly a year before exfiltrating data. However, no evidence has been presented that independently verifies the duration of the alleged compromise or the scale of the claimed data theft.
The actor claims the stolen information includes payment card data, Know Your Customer (KYC) records, transaction histories, customer identities, internal API keys, infrastructure documentation, database exports, source code repositories, financial records, email communications, and ERP platform data. Similar claims involving source code and cloud credentials have surfaced in other recent alleged breaches, including Accenture’s alleged source code and cloud credential leak, though the circumstances surrounding each incident differ.
The forum post also alleges that more than 1 billion payment card records were obtained. BreachNews has not independently verified that claim.
Release threatened for July 21
The threat actor claims the alleged dataset will be published on July 21 through an online portal that would allow users to search and download portions of the purportedly stolen information.
The actor also claimed it would provide advance notice before the planned publication and made statements encouraging market participants to trade on the anticipated release. There is no evidence that the claimed dataset exists in the form described or that any public release will occur.
Public company faces unverified extortion claim
Nayax develops payment and commerce technology for unattended retail environments, including vending machines, parking systems, laundromats, and self-service kiosks. The Israeli fintech company operates globally and is publicly traded on both the Nasdaq and the Tel Aviv Stock Exchange.
While large-scale breach claims involving payment data can pose significant risks if confirmed, threat actors have previously exaggerated the volume or sensitivity of allegedly stolen information to increase pressure on victims during extortion attempts.
Nayax had not issued any public statement at the time of publication, and there is currently no independent confirmation that the company experienced the breach described by the threat actor.












