18,140 people affected by claimed leak at AVEA Vacances
On 23 May 2026, AVEA Vacances, a French association organising educational stays and holiday camps for children and teenagers, was named in a forum leak of roughly 46,000 records (128 MB), including an 18,140-line file of postal-worker and CSE data plus booking and accounting documents.
- Victim
- AVEA Séjours / AVEA Vacances
- records
- 18.1K
On 23 May 2026, AVEA Vacances (AVEA Séjours) — a French non-profit association that organises holiday camps and educational stays for children and teenagers — was named in a data leak published on a cybercriminal forum. The post, attributed to a threat actor calling itself ChimeraZ, claimed a dump of roughly 46,000 records totalling about 128 MB, drawn from the avea-vacances.fr and abv.avea.asso.fr platforms.
The leak was advertised as a collection of databases and internal documents rather than a single customer table. Among the files cited were a 20K-documents.json set of more than 20,000 stay-organisation documents, a 18K-Postiers-CSE.json file of over 18,000 lines tied to La Poste employees and works-council (CSE) structures, and several thousand internal invoices. The figure of 18,140 corresponds to that postal-worker/CSE file.
Reported categories of exposed data included:
- Names, dates of birth and departmental assignments of staff and beneficiaries
- Booking and reservation periods for youth stays
- Vehicle-rental invoices and contract references
- Financial and accounting records (amounts, payment methods, activity budgets, accounting statuses)
- Internal administrative documents relating to vacation centres
The attack vector was not disclosed, and the breach remains an unverified forum claim: the actor posted sample records and download references, but AVEA Vacances had not publicly confirmed the incident or the authenticity of the data at the time of reporting. If genuine, the exposed information could enable phishing, invoice fraud and social-engineering attacks against affected families, employees and partner organisations.
Sources
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-05-23-avea-sejours-avea-vacances
- cyberattaque.orghttps://www.cyberattaque.org/avea-vacances-victime-dune-cyberattaque-46-000-dossiers-de-sejours-exposes/
- darkwebinformer.comhttps://darkwebinformer.com/avea-vacances-allegedly-breached-46k-french-holiday-camp-records-exposed/