Full Report
What HappenedOver the course of September 2025 to May 2026, Hargreaves Lansdown the UK-based investment platform has been the subject of IT glitches, hacker claims, and technical outages that have triggered rumours and customer concerns.On 11 September 2025, Hargreaves Lansdown customers reported discrepancies in the balances for their pension and ISA accounts, appearing as if huge sums had been mysteriously withdrawn. Customer began to fear they had been “hacked” after they logged onto their account and saw their life savings reduced. In less than 24 hours, Hargreaves Lansdown, however, swiftly responded that it was a temporary technical issue that only lasted 45 minutes and all client balances were restored.On 20 March 2026, Hargreaves Lansdown customers began experiencing technical issues that were affecting some parts of its website and app. The company apologised to customers over IT issues which left them unable to access their accounts during a period of heightened volatility in the financial markets. The company also assured people that there was no evidence of a cyber incident or a data breach and that all customers’ assets and data was secure.On 27 April 2026, Hargreaves Lansdown (hl.co.uk) was listed as a victim on the Bashe Tor data leak site. The attacker claimed that they allegedly stole their customer database of 658,259 unique users. They then shared five links to their other servers where other Tor users can download the alleged data.On 8 May 2026, the alleged Hargreaves Lansdown data appeared on DarkForums, a cybercrime forum. From the sample posted, the database offered contains addresses, names, emails, phone numbers, and date of birth. However, no Hargreaves Lansdown customer account numbers or transaction details were included in the sample.Analyst CommentHargreaves Lansdown is the UK's largest direct-to-consumer investment platform, allowing customers to buy and sell investments such as shares, as well as providing financial advice and offering accounts like cash ISAs.Active since April 2024, Bashe (aka APT73 or Eraleign) is a cybercriminal group that focuses on data-theft-extortion and ransomware. Analysts at CloudSEK found that APT73 fabricates attacks by falsely claiming responsibility for high-profile breaches, aiming to attract affiliates and bolster its credibility. They are known for taking credit for attacks that either weren’t committed or wasn’t done by them.Analysis of the sample data posted to DarkForums and the Bashe Tor data leak site revealed it to be purposely selected UK-based user records. Using HaveIBeenPwned to check the email addresses, the DarkForums sample email all appeared inside the Verifications[.]io breach as well as the People Data Labs (PDL) customer breach. This is unusual for recently leaked data and likely points to both the Bashe and DarkForums sharing fake data. Further, data from a financial trading platform such as Hargreaves Lansdown would be considered highly valuable on the cybercrime underground and could be sold for a high large amount of cryptocurrency. Therefore, it is again unusual for it to be dumped for free on a forum or Tor site. Based on the technical analysis of the leaked data sample and the established behavioural patterns of the threat actor, it is assessed with high confidence that the alleged data breach of Hargreaves Lansdown is entirely fabricated. It appears Bashe opportunistically weaponised Hargreaves Lansdown’s recent, IT outages and glitches (in September 2025 and March 2026) to construct a plausible, but false, narrative of a successful hack. By capitalising on pre-existing customer anxieties regarding platform stability, these cybercriminals attempted to reinforce their claims and extort their target for a quick ransom. This incident highlights an evolving trend where threat actors substitute complex technical exploits with psychological manipulation.Defensive TakeawaysCounter Adversary Threats: To counter this trend, UK firms must integrate their public relations (PR), incident response, and threat intelligence teams. Quick, transparent communication that explicitly decouples internal IT glitches from external cyber threats remains an effective defence against brand-damaging, clout-chasing extortion tactics.Precautionary Threat Hunting: Even in a fake breach scenario, it is still important to threat hunt for malicious and suspicious activities involved potentially targeted systems to help prove that the alleged data exfiltration never happened. In this scenario, the attacker claimed to have stolen customer database. Therefore, it would be prudent to hunt for any signs of data theft involving systems hosting customer data specifically.Precautionary Password Resets: In a scenario like this, companies may want to trigger a precautionary customer password reset “just to be on the safe side”. However, credential rotation must be calculated, automated, and decoupled from any fear, uncertainty, and doubt (FUD). If an incident response includes this action, it must be a measured approach. Triggering a mass password reset without tailored communications can unintentionally support the cybercriminals fake breach narrative and could trigger mass panic.Relevant Sourceshttps://archive.is/jXLF1https://www.ransomware.live/id/aGwuY28udWtAYXB0NzMhttps://uk.finance.yahoo.com/news/hargreaves-lansdown-outage-halts-customer-132845651.htmlhttps://www.bbc.co.uk/news/articles/cx2reyjdyjzohttps://x.com/hlinvest/status/2034923194176426310https://x.com/ibreaches/status/2052737608153997519Relevant CTI Resourceshttps://www.ransomware.live/group/apt73https://www.cloudsek.com/blog/unmasking-media-hungry-ransomware-groups-bashe-apt73
Analysis Summary
# Incident Report: Fabricated Data Breach and Extortion Attempt Against Hargreaves Lansdown
## Executive Summary
Between September 2025 and May 2026, the UK investment platform Hargreaves Lansdown faced a coordinated extortion attempt by the threat actor "Bashe" (APT73). The actor opportunistically weaponised legitimate internal IT glitches to claim a successful breach of 658,259 user records. Technical analysis confirmed the "leaked" data was actually recycled from previous third-party breaches, concluding with high confidence that no actual breach of Hargreaves Lansdown systems occurred.
## Incident Details
- **Discovery Date:** 27 April 2026 (Listing on Tor leak site)
- **Incident Date:** September 2025 – May 2026 (Ongoing campaign)
- **Affected Organization:** Hargreaves Lansdown
- **Sector:** Financial Services / Investment Platform
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** 11 September 2025 and 20 March 2026
- **Vector:** N/A (Internal IT technical glitches)
- **Details:** Legitimate technical outages caused account balance discrepancies and login failures. While these were internal glitches, they served as the "narrative" foundation for the threat actor's later claims.
### Lateral Movement
- **Details:** No evidence of lateral movement. Analysis indicates the threat actor never had access to the internal network.
### Data Exfiltration/Impact
- **Details:** Threat actor "Bashe" claimed to have exfiltrated a database of 658,259 unique users. However, investigation proved the data was fabricated using records from the historical Verifications[.]io and People Data Labs (PDL) breaches.
### Detection & Response
- **27 April 2026:** Hargreaves Lansdown listed on Bashe Tor data leak site.
- **8 May 2026:** "Sample" data appears on DarkForums containing names, emails, and phone numbers.
- **Post-Entry Analysis:** Security analysts cross-referenced data with HaveIBeenPwned, discovering the records were recycled from older, unrelated breaches.
## Attack Methodology
- **Initial Access:** Psychological Manipulation/Social Engineering (Weaponising existing IT outages).
- **Persistence:** None.
- **Privilege Escalation:** None.
- **Defense Evasion:** Use of Tor leak sites and DarkForums to project an image of successful compromise.
- **Credential Access:** None (Recycled credentials from old leaks used to simulate new access).
- **Discovery:** Monitoring of financial news and service status pages to identify targets with recent outages.
- **Lateral Movement:** None.
- **Collection:** Aggregation of publicly available or previously leaked data.
- **Exfiltration:** None.
- **Impact:** Brand damage and customer panic through psychological manipulation and false extortion claims.
## Impact Assessment
- **Financial:** Low (No ransom paid; no direct theft of assets).
- **Data Breach:** None (Fabricated; existing data was from 3rd party breaches).
- **Operational:** Minimal (Internal IT issues had already been resolved).
- **Reputational:** High (Customer anxiety regarding "disappearing" life savings and fears of insecurity).
## Indicators of Compromise
- **Network indicators:** hxxps://hl[.]co[.]uk (Targeted domain); Bashe Tor Leak Site.
- **File indicators:** Database samples (658,259 records) hosted on five external Tor servers.
- **Behavioral indicators:** Clout-chasing behavior; fabrication of breaches; publishing data samples that appear in historical breaches (e.g., Verifications[.]io).
## Response Actions
- **Transparency:** Hargreaves Lansdown issued swift communications within 24 hours of the initial glitch to restore trust.
- **Verification:** Analysts performed technical verification of "leaked" samples to prove they were not contemporary or sourced from the platform.
- **Counter-Narrative:** Public decoupling of IT technical errors from malicious cyber activity.
## Lessons Learned
- **Weaponised Glitches:** Threat actors no longer require a technical exploit to cause an incident; they can "hijack" a legitimate IT failure to create a crisis.
- **Data Recyclability:** Extortion groups frequently use "zombie data" from years-old breaches to claim new victories.
- **Speed of Communication:** Rapid, transparent PR is as critical as technical IR in modern extortion scenarios.
## Recommendations
- **Integrated IR and PR:** Ensure the PR team is briefed by Threat Intelligence to explicitly state when an outage is technical vs. malicious.
- **Precautionary Threat Hunting:** Conduct deep-dive audits of customer databases following any public claim of theft, even if the claim is suspected to be false, to provide a "clean bill of health."
- **Measured Password Resets:** Avoid reactive mass password resets unless a breach is confirmed, as this can inadvertently validate a threat actor's false claims and cause unnecessary mass panic.