ctipilot.ch

Wind Tre vishing + API-enumeration breach (2025)

incident · incident:wind-tre-2026-vishing-api-enumeration-breach

Two 2025 breaches of Wind Tre's retail-facing customer web application: attackers vished retail POS staff into granting remote access, harvested a stored client digital certificate and credentials, used them as valid MFA'd access, then enumerated an unprotected secondary customer-lookup API (~2M sequential customerId requests) to exfiltrate data on 365,048 customers (payment data for 41,359). Italy's Garante fined Wind Tre EUR 1,715,600 (decision 2026-05-14, published 2026-07-16).

Coverage timeline
1
first 2026-07-17 → last 2026-07-17
Peak priority
notable
1 notable
Sources cited
3
2 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
4
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-17/garante-wind-tre-vishing-api-enumeration-fine · ATT&CK page ↗

T1566.004Phishing: Spearphishing Voice×1

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

Evidence: 2026-07-17/garante-wind-tre-vishing-api-enumeration-fine · ATT&CK page ↗

Persistence TA0003

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-17/garante-wind-tre-vishing-api-enumeration-fine · ATT&CK page ↗

Privilege Escalation TA0004

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-17/garante-wind-tre-vishing-api-enumeration-fine · ATT&CK page ↗

Stealth TA0005

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-17/garante-wind-tre-vishing-api-enumeration-fine · ATT&CK page ↗

Credential Access TA0006

T1552Unsecured Credentials×1

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

Evidence: 2026-07-17/garante-wind-tre-vishing-api-enumeration-fine · ATT&CK page ↗

Collection TA0009

T1213Data from Information Repositories×1

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).

Evidence: 2026-07-17/garante-wind-tre-vishing-api-enumeration-fine · ATT&CK page ↗

Story timeline

  1. 2026-07-17Garante fines Wind Tre EUR 1.7M over a vishing-enabled API-enumeration breach that exposed 365,048 telco customers
    active-threatsItalian DPA fines Wind Tre EUR 1.7M — retail-staff vishing led to enumeration of an unprotected secondary API (365,048 customers)

Where this entity is cited

  • active-threats1

Source distribution

  • garanteprivacy.it2 (67%)
  • ansa.it1 (33%)

explore in graph

Entries about Wind Tre vishing + API-enumeration breach (2025) (1)

2026-07-17 · view entry permalink →

NOTABLENATOA1

Garante fines Wind Tre EUR 1.7M over a vishing-enabled API-enumeration breach that exposed 365,048 telco customers

The Garante's decision gives a rare, fully technical account of a telco breach. Initial access was voice social engineering: attackers phoned staff at two retail points of sale, posed as internal support technicians, and "convinced operators at two retail points of sale to allow access to company systems" (Garante, 2026-07-16). That remote access yielded the point-of-sale device's installed client digital certificate plus login credentials — reportedly recoverable in cleartext from the desktop or browser rather than held in an OS certificate store — which the attackers then used as valid, MFA-satisfied access to a customer-facing web application. In the first incident that access ran 66 targeted lookups (~23 customers). In the second, days later, the attackers pivoted from the primary (protected) search API to an unprotected secondary API invoked by the same search function and "executed about 2 million total requests following an enumeration logic, i.e. progressively incrementing the customer code identifier ('customerId')," compromising 365,048 customers and, for 41,359 of them, payment-instrument data (Garante, 2026-07-16). The Garante rejected Wind Tre's defense that its API design followed OWASP practice, finding the enumeration-reachable secondary endpoints were "reasonably identifiable" by a vulnerability assessment and penetration test scoped to the API surface — not just the primary documented interfaces.

gli hacker, fingendosi tecnici dell'assistenza, hanno convinto gli operatori di due punti vendita a consentire l'accesso ai sistemi aziendali

Garante per la protezione dei dati personali (Newsletter n.549) 2026-07-16

gli attaccanti sono riusciti ad eseguire circa 2 milioni di richieste totali seguendo una logica di enumeration, ovvero andando ad aumentare progressivamente l'identificativo del codice cliente (c.d. "customerId") violando i dati personali di 365.048 clienti

Garante per la protezione dei dati personali (Provvedimento n.348, 14 May 2026) 2026-07-16
incident17 Jul 04:35Zmulti-sourceOpen finding ↗