Skip to content
Data breachOngoing

Avea Vacances hit by a cyberattack: 46,000 stay records exposed

On 23 May 2026, French holiday-camp association Avea Vacances was named by the threat actor ChimeraZ, who published roughly 46,000 records (128 MB) on a cybercrime forum, including stay-organisation documents and a file of more than 18,000 La Poste employees' details.

Victim
Avea Vacances
records
46.0K

On 23 May 2026, Avea Vacances — a French association running themed holiday camps and educational stays for children and teenagers, historically tied to the social-activities arm of postal workers — was named on a cybercrime forum as the latest victim in a wave of attacks on the French tourism sector attributed to the threat actor ChimeraZ.

The attacker published a dataset of roughly 46,000 records totalling around 128 MB, drawn from the avea-vacances.fr and abv.avea.asso.fr platforms. The leak was organised into several files, notably a "20K-documents.json" file holding more than 20,000 documents tied to the organisation of stays, and an "18K-Postiers-CSE.json" file containing more than 18,000 rows of data on La Poste employees and structures. The exact intrusion vector has not been disclosed.

The exposed data reportedly includes:

  • Names, dates of birth and internal identifiers of La Poste employees and organisational assignments
  • Vehicle-rental invoices and contract references
  • Internal accounting, budget and logistics documents
  • Payment information and booking/reservation periods
  • References to PDF documents related to stay management

As of the disclosure date, Avea Vacances had not publicly confirmed the breach, and the exact circumstances of the compromise and the full authenticity of the leaked data remained unverified. The combination of names, dates of birth and invoice/payment details raises the risk of targeted phishing, invoice fraud and social-engineering attempts against those affected.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/avea-vacances-victime-dune-cyberattaque-46-000-dossiers-de-sejours-exposes/
  2. darkwebinformer.comhttps://darkwebinformer.com/avea-vacances-allegedly-breached-46k-french-holiday-camp-records-exposed/
  3. hendryadrian.comhttps://www.hendryadrian.com/avea-vacances-allegedly-breached-46k-french-holiday-camp-records-exposed/

Related incidents