UK telecommunications company TalkTalk is investigating a third-party supplier data breach after a threat actor began selling alleged customer data on a hacking forum.

“As part of our regular security monitoring, given our ongoing focus on protecting customers’ personal data, we were made aware of unexpected access to, and misuse of, one of our third-party supplier’s systems, however, no billing or financial information was stored on this system,” TalkTalk told BleepingComputer.

“Our Security Incident Response team are continuing to work with the supplier regarding this matter and protective containment steps were taken immediately.”

“Our investigations are ongoing, however we can confirm that the number of potential customers referred to in certain online posts is wholly inaccurate and very significantly overstated.”

This statement comes after someone named “b0nd” began selling what they claim is TalkTalk customer data on a hacking forum that was allegedly stolen in a January 2025 data breach.

“As the title says today we will list for sale a large data breach involving TalkTalk. This breach took place January 2025 and affects 18,839,551 current and previous customers.” reads the post to a hacking forum.

The threat actor also shared a sample of the data, which includes the subscriber’s name, email, last-used IP address, business phone number, and home phone number.

While the forum post says the stolen data contains information about almost 18.9 million current and previous TalkTalk customers, the company does not have nearly that number of subscribers, putting the authenticity of the breach in doubt.

Furthermore, the screenshots shared by the threat actor indicate that the data was possibly stolen from the Ascendon SaaS platform rather than directly from TalkTalk.

CSG Ascendon is a subscription management platform that TalkTalk has historically used as part of its operations.

In 2015, TalkTalk suffered a data breach where hackers accessed the personal details of over 150,000 customers. The incident led to a £400,000 fine by the UK Information Commissioner’s Office.

BleepingComputer contacted the CSG to confirm if they suffered a breach but has not received a reply.