PhishLabs investigating claims of a possible customer data dump

The alleged breach remains unverified by CyberScoop and PhishLabs but numerous clients have reached out to the company, prompting them to write a blog post publicly announcing an investigation.

Cybersecurity startup PhishLabs has launched an investigation into a possible data breach, the company confirmed to CyberScoop on Wednesday.

Earlier this week, a note posted on Pastebin announced the sale of a data dump and email from Joseph Opacki, the vice president of threat intelligence for the Charleston, South Carolina-based PhishLabs. The company, founded in 2008, sells anti-phishing defense and training to clients aimed at protecting employees and customers.

The original post was taken down within hours, and the Pastebin user hasn’t responded to CyberScoop’s inquiries.

The Pastebin page contained what looked to be a PhishLabs client list, showing 132 customers including tech giants like Apple and dozens of financial institutions.


PhishLabs would not confirm or deny the validity of the list.

“We’ve gotten quite a few questions about it from clients,” said Stacy Shelley, PhishLabs vice president of marketing. “At this point in the investigation, we haven’t found any evidence that any of our client systems or data have been compromised.”

In company marketing materials, PhishLabs says its products are used “by four of the top five U.S. financial institutions, seven of the top 25 global financial institutions, leading social media and career sites, and top healthcare, retail, insurance and technology companies.”

Shelley said the company has been investigating since the initial evidence was made public on Monday, but the forensic analysis could take weeks to complete.

“So far we haven’t turned up anything to confirm what’s in the Pastebin post,” he said. “Validating this sort of information, there’s a lot of log analysis, log review and forensics work to really close the door on that possibility. We take this very seriously so we’re going to get 100 percent certainty on those answers.”


Opacki was previously a technical director at the FBI from 2006 to 2014.

There has been no disruption to PhishLabs clients, with the exception of phone calls and emails to ask about the alleged hack.

“This is our business,” Shelley said. “This isn’t completely unanticipated. We often get targeted by cybercriminals. We learned about this shortly after the post went up and we’ve been working on it since then.”

PhishLabs has taken in investments worth $8.2 million since 2013. Last year’s revenue hit $8.3 million, driven in large part by employee security training services offered by the company.

Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts