A threat actor operating under the alias "Jeffrey Epstein" claims to have exfiltrated the personal data of more than 400,000 Belgian customers of Bol, the Netherlands' largest online retailer. The breach was first reported by Cybernews on April 21, 2026, with the actor providing a downloadable sample to substantiate the authenticity of the dataset. Bol, which serves over 14 million customers across more than 44,200 sales partners, has publicly denied any compromise, telling Tweakers.net that all systems are functioning normally and that no ransomware or intrusion has been detected.

What Happened

The actor surfaced the alleged breach on a cybercrime forum, posting a sales listing for a database containing records of roughly 400,000 Belgian Bol users. To validate the claim, the actor released a downloadable sample for potential buyers and journalists to verify. Negotiations for the full dataset are being conducted over Telegram and Session, an encrypted messaging platform favored by threat actors for its lack of metadata retention.

Bol's spokesperson pushed back publicly, stating there is no evidence of a hack, attack, or ransomware incident, and confirming no signs of system compromise on their end. As of publication, the retailer has not confirmed whether an internal or third-party forensic investigation has been initiated. The discrepancy between the actor's sample data and Bol's denial leaves affected customers in an ambiguous state, with no official breach notification issued to impacted individuals.

What Was Taken

The stolen dataset reportedly contains a deep profile of each affected customer. Exposed fields include:

Passwords and bank account credentials were reportedly not included in the leak. However, the combination of identity attributes, contact data, and purchase history is more than sufficient to fuel highly targeted social engineering campaigns. The sensitivity of the compromised information is rated high, with a breach severity score of 85 and an impact rating of 4, reflecting the scale of the PII exposure.

Why It Matters

Bol is a household brand across the Benelux region, and 400,000 Belgian records represent a significant portion of the country's online retail consumer base. The dataset's combination of verified identity fields and order histories makes it an unusually potent resource for fraud operators. Even without passwords, attackers can craft convincing spear-phishing lures referencing real purchases, spoof delivery notifications, or impersonate Bol customer service to harvest credentials and payment card data downstream.

The incident also highlights a recurring pattern in 2026 breach disclosures: public denial by the victim organization while a sample dataset circulates in criminal marketplaces. Whether the data originated from Bol directly, a sales partner in its 44,200-strong marketplace network, or a third-party logistics or payment processor, the downstream risk to Belgian consumers remains identical.

The Attack Technique

The intrusion vector has not been disclosed. The actor has not publicly claimed a specific technique, and Bol has not acknowledged any compromise from which to work backwards. Given the structure of Bol's business, which relies heavily on a sprawling partner ecosystem, plausible pathways include a supply-chain compromise through a seller account, exploitation of a vulnerable API exposed to marketplace partners, credential stuffing against administrative interfaces, or an intrusion at a third-party fulfillment or CRM provider. The absence of passwords in the leaked set, combined with the presence of complete order histories, suggests data pulled from an operational or analytics database rather than a raw authentication store.

What Organizations Should Do

  1. Validate the sample independently. Large retailers and partners in Bol's ecosystem should obtain the leaked sample through threat intelligence channels and cross-reference it against their own customer records to determine whether the data originated from a shared upstream source.
  2. Monitor for phishing lures referencing Bol. Belgian and Dutch security teams should tune email gateways and user-awareness training to flag delivery-notification and order-confirmation pretexts impersonating Bol in the coming weeks.
  3. Audit marketplace and partner API access. Retailers operating multi-seller platforms should review authentication, rate limiting, and data-access scoping on partner-facing APIs, which are common weak points in marketplace breaches.
  4. Harden identity verification for high-risk transactions. Given the exposure of full PII plus order history, knowledge-based authentication is no longer reliable for affected customers. Move toward step-up MFA and device-based signals.
  5. Engage breach-notification counsel proactively. Under GDPR, a confirmed breach affecting Belgian residents triggers a 72-hour notification obligation. Organizations connected to Bol's supply chain should prepare disclosure workflows now rather than reactively.
  6. Track actor infrastructure. The alias "Jeffrey Epstein" and associated Telegram/Session handles should be added to threat intelligence watchlists for correlation with other ongoing campaigns targeting European e-commerce.

Sources: Bol: Over 400K records allegedly stolen from major Dutch webshop Bol, data leaked