Massive Customer Data Breach Hits Shwapno; Over 27 Million Records Leaked

The database of customers who shopped at Shwapno in 2025 has been compromised, with hackers publicly releasing a “Databreach Checker” tool.

According to the checker, a total of 27,040,472 purchase records from Shwapno have been leaked, exposing 2,058,384 customer phone numbers to public access.

Many users have been verifying online whether their personal numbers were exposed. The checker has already recorded hundreds of thousands of page views. More than 18,000 people have checked their numbers, with over 6,000 flagged as high-risk.

Security analysts have warned that even verifying one’s number through the checker carries the risk of further data breaches. The Cyber Crime Awareness Foundation noted that a data leak does not merely mean a few numbers have been stolen; it puts the private information of millions of people at extreme risk. “Today, personal data is potentially in the hands of criminals on the dark web, and the company cannot avoid responsibility for this,” the foundation added.

Cybersecurity expert Tanvir Zoha described the incident as a “warning signal,” emphasizing that leaked data—including phone numbers, purchase histories, and location—could be exploited. “Wrong hands could use this information to target individuals via calls, exploit shopping habits to commit fraud, manipulate OTPs or banking systems to steal money, and even open accounts in customers’ names. Customers must remain vigilant,” he warned.

Shwapno operates both online and offline platforms, but the databases for both are identical, meaning all Shwapno customers—online and offline—could be affected. Sources indicate that the Qilin and Lockbit 5.0 ransomware groups were responsible for the data breach.

No immediate statement was issued by Shwapno authorities. Later, Shwapno Managing Director Sabbir Hasan Nasir stated, “Hackers gained control of our company database last December. They demanded $1.5 million from us to regain access.”

Shwapno currently operates 812 outlets across 63 districts and has over 4 million registered customers. The compromised data includes customer names, mobile numbers, and detailed purchase histories. Sabbir Hasan Nasir could not immediately confirm how many customers’ data were at risk.

When asked why action was not taken earlier despite the hack occurring three months ago, he replied that the breach was only recently detected.

Shwapno is preparing a legal case regarding the matter. The company, a subsidiary of ACI Limited, is working with domestic and international forensic experts as well as the police CTC unit to resolve the issue.

The MD claimed that measures have been taken to secure the system. However, no public warning or advisory has yet been issued to inform customers about potential data exposure.

DBTech/IH/MUM/OR