Turkey GSM leak exposes 145M+

A file advertised as the “Turkey GSM combo” is being passed around in breach circles with claims of more than 145 million telecom records, and the sample descriptions say the fields include full names, Turkish national identification numbers, phone numbers, and street addresses. Independent reporting so far describes it as an alleged leak, not a formally confirmed breach by a carrier or regulator. (teknoseyir.com, darkwebinformer.com) The number is so large because Turkey has about 85 million people, but mobile databases count lines, former subscribers, business accounts, foreigners, and duplicate entries across years. A dump can clear 145 million rows without meaning 145 million living people had one fresh account exposed. (teknoseyir.com, bianet.org) Turkey’s mobile system is unusually identity-heavy because SIM cards are tied to official identity documents, and device use is wrapped into a national registration regime that can block unregistered phones from local networks. That means a telecom subscriber record in Turkey can be closer to a passport file than to a simple phone bill. (ozyegin.edu.tr, turkeytravelplanner.com) That is why the most dangerous field in the reported dump is not the phone number but the combination of national identification number, address, and line ownership. A criminal with those three pieces can build convincing fraud scripts, fake customer-service calls, and account takeover attempts that sound real on the first sentence. (pandectes.io, cybernews.com) The story also lands in a country that was already dealing with a much bigger argument over state-held personal data. In September 2024, Turkish outlets reported that data tied to 108 million people had been stolen from official systems, including 82.3 million residential addresses and 134.8 million mobile phone numbers. (bianet.org, mlsaturkey.com) Turkey’s transport minister later confirmed that millions of identity records had been stolen “during the pandemic,” which turned what first looked like rumor into a public admission that core personal data had escaped government control. That earlier breach matters here because a “combo” file often means old data has been merged, cleaned, and repackaged rather than freshly stolen from one database in one night. (duvarenglish.com, group-ib.com) That word “combo” is doing a lot of work. In breach markets, a combo list usually means someone stitched together records from several leaks, removed obvious duplicates, and sold it as one convenient file for phishing, impersonation, or account testing. (breachsense.com, flare.io) So the key question is not only “Was one Turkish carrier hacked this week?” but also “Are old government, telecom, and commercial records being fused into a more usable map of real people?” A merged file with names, identity numbers, addresses, and active-looking phone lines can be more useful to criminals than a raw database dump from a single company. (group-ib.com, mlsaturkey.com) Turkey’s regulator, the Personal Data Protection Authority, requires breach notifications from data controllers and in January 2026 said public breach notices would stay on its site for a maximum of 60 days. That means official confirmation can appear late, disappear quickly, or arrive in pieces while an investigation is still moving. (ksthukuk.com, dlapiperdataprotection.com) There is recent precedent for telecom-related fallout too. In early 2026, reporting on a Personal Data Protection Authority notice said Vodafone Net data may have been accessed from a processor’s system, affecting subscribers, employees, and partners after an incident that started on January 10 and was detected on January 26. (searchinform.com, earthpressnews.com) If the “Turkey GSM combo” is authentic, the immediate damage will probably show up as fraud before it shows up as fines. A caller who knows your full name, home address, national identification number, and mobile operator does not need malware to cause damage; they just need five believable minutes on the phone. (cybernews.com, pandectes.io) What happens next is simple to watch even if the leak itself stays murky: a carrier denial, a Personal Data Protection Authority notice, or samples that match real subscribers across multiple operators. Until one of those appears, the safest reading is that Turkey may be looking at either one of its largest telecom exposures or a newly packaged version of the giant citizen-data leaks it never fully contained. (teknoseyir.com, duvarenglish.com, ksthukuk.com)