On June 3, 2026, EcoCash's X (Twitter) account was hijacked from 1:42 PM to 8:54 PM — over seven hours. During that window, an individual claiming EcoCash had stolen $35 from them took control and posted explicit content. Critically, whoever was behind the hack had full access to EcoCash's customer support DMs — meaning real names, national ID details, account numbers, and transaction references were readable by the attacker for the entire duration. This was not a public leak, but unauthorised access to private customer conversations is a notifiable data breach regardless. Zimbabwe's Cyber and Data Protection Act sets a strict legal clock. It started ticking the moment the breach was discovered.
A post from @VWGroupFan flags that the EcoCash X handle had been taken over, showing a screenshot of a compromised customer support chat thread with PII visible. The post reaches 24,300 views.
An individual claiming EcoCash stole $35 from them took control of the account. Explicit content was posted. The attacker had full access to EcoCash's customer support DMs — meaning customer names, ID details, account numbers, and transaction references were readable by whoever was behind the hack for the entire duration. This was not a public leak, but unauthorised access to private customer conversations is a notifiable breach regardless.
From 1:42 PM through to recovery at 8:54 PM, the account remained out of EcoCash's control for over seven hours. During this entire period, customer data remained accessible and no public statement was issued by EcoCash or Econet Zimbabwe.
Techzim reports that EcoCash has regained control of its X account and removed the unauthorised posts. The account had earlier appeared compromised, with explicit content and a message from the individual claiming responsibility. No formal statement from EcoCash followed.
Breach detected at 1:42 PM CAT, June 3, 2026. All deadlines run from that moment in Central Africa Time (UTC+2). Cards turn amber when a deadline is close, red when it has passed without confirmed action.
The moment this breach was discovered, Zimbabwe's Cyber and Data Protection Act and its 2024 Regulations began counting. EcoCash, as a licensed mobile money operator handling customer financial data, is a "data controller" — legally bound to follow a specific response schedule. This is not discretionary.
Financial data combined with national ID details almost certainly meets the threshold of "high risk to the rights and freedoms" of affected individuals — triggering the most stringent notification obligations. The 24-hour POTRAZ deadline fell at 1:42 PM on June 4, 2026. The 72-hour direct notification deadline falls at 1:42 PM on June 6, 2026.
The company must submit a formal Data Breach Notification Form DP3 to the Postal and Telecommunications Regulatory Authority of Zimbabwe. Not a press release. Not an internal memo. A regulatory submission with details of what happened.
If the breach poses a high risk to affected individuals, the company must contact each data subject personally. A vague tweet or public statement does not satisfy this requirement. If 72 hours have passed and you have not been contacted — the company may already be in violation.
The Authority may request specific information about the breach, the systems involved, and the company's response. The company has 14 days to comply with those requests.
A full internal investigation must be complete and a final report submitted to POTRAZ. This report should account for the cause, scope, and remedial actions taken.
The law requires "appropriate technical and organisational measures" to prevent unauthorised access to customer data. A public-facing support channel handling sensitive financial and ID information must be protected accordingly. The fact that it was compromised raises an immediate question about what those measures actually were.
Companies of this scale and data sensitivity are required to designate a Data Protection Officer — someone responsible for monitoring compliance, acting as a contact point for data subjects, and overseeing breach response. Their absence from this process would itself be a violation.
The breach happened on a third-party platform. The law requires a formal written contract or legal instrument between the company and any third party that processes data on their behalf — including binding security obligations. "It happened on Twitter" is not a legal defence if that contract didn't exist or wasn't enforced.
The company is legally responsible for the actions of its representatives, agents, and data processors. Accountability cannot be delegated away. The law makes this explicit — and any investigation will trace liability back to the data controller regardless of where or how the breach occurred.
This is not just a personal matter. Breaches of financial PII undermine trust in the entire mobile money ecosystem. The law gives you specific tools — not just sympathies.
If the breach poses a high risk to you, the company must notify you directly — not via a general statement. You also have the right to know how your data was being used before the breach occurred.
You can file a formal complaint with POTRAZ regarding how your data was processed and what happened in the aftermath. A formal complaint triggers a structured regulatory response — not just an acknowledgement.
POTRAZ has the authority to conduct a formal inquiry or investigation into the incident at your request. This means a third party — not the company — examines what actually happened.
You can inspect POTRAZ's public register of licensed data controllers to verify whether the company was even authorised to handle and process your data in the way they did — and in the way it was subsequently exposed.
Your answers to these questions shape the strength of your complaint. But regardless of where you land — you have standing to act.
| # | Question | Why It Matters |
|---|---|---|
| 1 | Has the provider contacted you officially? | If not past 72 hrs, that's a violation to report |
| 2 | Have you filed with POTRAZ? | Formal complaints trigger investigations |
| 3 | Did you initiate the support chat, or were you contacted first? | Shapes the scope of data exposed and your legal standing |
Include: what data was exposed, the time window, whether you were notified, and any communication (or lack thereof) from the provider. Formal complaints trigger a structured regulatory process — not just an email reply.
You can ask POTRAZ for access to the breach notification the company submitted (Form DP3). If no report exists, that absence is evidence of non-compliance.
Verify whether the company holds the correct authorisation to process financial PII and operate a support channel of this type. An unlicensed controller faces compounded liability.
The exposed data — name, ID, account number, transaction references — is enough for targeted social engineering or fraud attempts. Watch your mobile money wallet and report any suspicious contact immediately.
If an investigation finds the provider failed to maintain adequate security, failed to report the breach in time, or failed to notify affected individuals — these are not administrative slaps on the wrist. They reflect what the law considers appropriate for mishandling personal financial data.
"It happened on Twitter" is not a legal defence if the company did not have adequate controls, contracts, and a designated officer in place before the breach occurred.
Sources: @VWGroupFan on X — first public signal of the hack, 1:42 PM Jun 3, 2026 · @RoboXnet on X — further documentation of the compromised account · ZimLive — EcoCash X account hacked by individual claiming company stole $35 · Techzim — EcoCash regains control of X account, 8:54 PM Jun 3, 2026 · Zimbabwe Cyber and Data Protection Act (Chapter 12:07) · Cyber and Data Protection (General) Regulations, 2024 (S.I. 163 of 2024). Breach notification obligations and timelines as stipulated in Part IV of the Regulations. · Techzim — How POTRAZ can help if you're dissatisfied with your service provider's handling of your complaint