Arsène Valentin: customer data exposed after malicious code was injected on the site
On 8 May 2026, French e-cigarette retailer Arsène Valentin disclosed that malicious code injected into its e-commerce website had exposed customer personal data — names, emails, postal addresses, phone numbers, dates of birth and order history; the breach was reported to the CNIL.
- Victim
- Arsène Valentin
On 8 May 2026, Arsène Valentin — a French e-commerce retailer of electronic cigarettes and e-liquids, with a network of franchised stores across France — notified its customers that it had detected malicious code planted on its website, which may have exposed their personal data.
The company described a classic web-skimming style compromise: attackers injected malicious code into the e-commerce site, potentially through a vulnerable plugin, a compromised dependency, or hijacked administrator access. The exact entry point was not confirmed in the disclosure.
The personal data potentially exposed included:
- First and last names
- Email addresses
- Postal addresses
- Phone numbers
- Dates of birth
- Order history
Arsène Valentin stated that no banking data is stored on its servers, and that no malicious use of the affected information had been detected at the time of disclosure. The number of customers impacted was not disclosed.
The company reported the incident to the CNIL (France's data protection authority) and said it secured its infrastructure immediately after discovering the intrusion. Customers were advised to change their passwords and to stay alert for phishing attempts, since the combination of personal details and purchase history could enable highly convincing scam messages impersonating the brand.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/arsene-valentin-des-donnees-clients-exposees-apres-linjection-dun-code-malveillant-sur-le-site/