Since January 9, 2026, the Mexican Telecommunications Regulatory Commission requires that all mobile lines in the country be associated with a verified identity.
Until now, SIM cards could be purchased completely anonymously, something that changes with mandatory registration. A logical measure to avoid the telephone SCAM that, in recent hours, has sparked controversy.
The alleged gap. Less than 24 hours after the mandatory registration of mobile lines came into force in Mexico, Telcel, one of the largest operators in the country, suffered an alleged security breach that would have exposed personal information of millions of customers.
“The official @Telcel portal presents a critical security vulnerability that exposes the identity, CURP, RFC and email of millions of users. This occurs only 24 hours after the regulations that require the registration of all mobile lines in the country came into force. When entering any Telcel telephone number in the form, the internal system returns – without the need for passwords or verification codes – a complete information package of the owner of the line. This is extremely dangerous. Any cybercriminal could use some of Telcel’s number bases and automate the massive extraction of information”. Ignacio Gómez Villaseñor, journalist.
The reports pointed to a massive leak from each and every one of its clients, with sources assuring that for a few hours it was possible to access the data through the official Telcel portal.
Telcel’s response. The spread of the alleged breach was such that Telcel did not take long to call for calm. Of course, it did so with a somewhat ambiguous statement in which it neither affirms nor denies that the security breach occurred.
“Your data is secure. Each user receives a unique code by SMS to only access their own information and link their line. We have implemented additional security measures to the registration process. The process is secure and your data is protected.” Telcel.
Although Telcel assured that, at the time of its publication, the data was safe, the company acknowledges having implemented additional security measures during the registration process.
hours later. Renato Flores, deputy director of communications at Telcel, acknowledged hours later on one of the national radio stations that there was a technical vulnerability.
“Telcel acted quickly, responsibly and transparently. We detected a vulnerability, we corrected it immediately, we reinforced security and at all times we protected our customers’ data.”
Despite admitting the gap, the company’s position remained firm: it ensured that only one’s own information could be accessed as a user, not that of the rest of the company’s clients. It is something that Gómez Villaseñor was quick to deny through a video published on X, in which he showed how he was able to access user data.
The risks. According to the source, the following data was exposed for hours:
- Owner identity
- CURP (Unique Population Registry Key)
- RFC (Federal Taxpayer Registry)
A case relatively similar to the recent Endesa hack suffered in Spain, through which the alleged attackers claim to have obtained more than 1TB of information related to account numbers, identities, addresses, telephone numbers and emails.
A bumpy process. In the middle of the debate, the Telecommunications Regulatory Commission (CRT) clarified that, during the first phase of this national registry, there were certain “intermittencies on various platforms” due to the high volume of users, without giving too many details in this regard.
The Commission avoided referring to the specific case, and limited itself to pointing out that it remains in contact with the operators to normalize the service.
And now what. At the moment, there is no news about possible exploitation of the supposed vulnerability. If this had occurred, the attackers would have access to customers’ personal information, as happens in any other case of mass hacking.
In the face of these leaks, the user’s only response may be to be alert: not to respond to or provide sensitive data through SMS, calls, WhatsApp messages or email communications (or any of our means of contact that may have been leaked) without being very clear about who we are referring to.
Image | WorldOfSoftware
In WorldOfSoftware | A single person in Barcelona and 2.5 million SMS per day: the “mobile farms” that operate in Spain to scam you
