Skip to content
Supply chainContained

Leak at Alltricks

In August 2025, French online cycling and sports retailer Alltricks had its Sendinblue/Brevo email-marketing system compromised; attackers sent customers convincing phishing emails from the brand's own infrastructure, exposing names, email addresses and purchase history.

Victim
Alltricks

On 12 August 2025, Alltricks β€” a French online retailer of cycling, running and outdoor sports equipment β€” disclosed an intrusion into its email-marketing system. On the morning of 11 August, customers began receiving emails that appeared completely genuine: they were sent from the brand's legitimate sending domain (r.sb3.alltricks.com) and passed all SPF, DKIM and DMARC authentication checks, making them invisible to standard anti-phishing filters.

The messages were in fact a phishing campaign. They prompted recipients to renew their password or open Excel and OneDrive documents, leading to fake pages designed to harvest login credentials. The attack was traced to a compromise of the account Alltricks used with its marketing-email provider Sendinblue (Brevo): attackers abused the retailer's own trusted sending infrastructure to deliver the lures.

Exposed data categories appear to include:

  • Customer first and last names
  • Email addresses
  • Purchase / transaction history (used to personalise the lures)

Alltricks stated that no payment or banking data was affected. The company alerted customers the same day, urged them not to open the messages, said it was implementing measures to secure its system, and indicated it would notify France's data-protection regulator (CNIL) as required by law. An internal investigation was opened to determine the full scope of any data exfiltration. (This August 2025 email-system intrusion is distinct from a separate, larger Alltricks customer-database leak reported later.)

Sources

  1. zataz.comhttps://www.zataz.com/intrusion-chez-alltricks-comment-des-mails-frauduleux-ont-passe-tous-les-filtres/
  2. next.inkhttps://next.ink/195409/alltricks-pirate-de-faux-mails-avec-de-vrais-pieges-envoyes-aux-clients/
  3. frenchbreaches.comhttps://frenchbreaches.com/alertes/alltricks-a0d5393f8210

Related incidents

Supply chainContained

Leak at Mango

In October 2025, Spanish fashion retailer Mango disclosed that an external marketing service provider was breached, exposing customers' first name, country, postal code, email address and phone number; no passwords or banking data were affected.

Victim
Mango
Supply chainContained

Leak at Pandora

In August 2025, Danish jewelry maker Pandora disclosed a breach of a third-party CRM platform (Salesforce) in which attackers stole customer contact data β€” names, email addresses and birth dates β€” while stating no passwords or payment data were taken.

Victim
Pandora
Supply chainContained

Leak at Afflelou

In April 2025, French optical and hearing-aid retailer Alain Afflelou disclosed a breach caused by a vulnerability at a third-party CRM provider, exposing the personal and commercial data of thousands of customers and prospects.

Victim
Afflelou