Leak at Bilov
In May 2026, Bilov — operator of the French Boulangeries Ange bakery chain — disclosed a data breach exposing the personal details (name, city, phone number) of around 812,000 customers after an active authentication token allowed unauthorized API access.
- Victim
- Bilov
- records
- 812.0K
On 7 May 2026, Bilov — the company operating the French Boulangeries Ange bakery chain — disclosed a data breach affecting its customer database. A threat actor claimed to have extracted the records of roughly 812,000 customers and offered them on a cybercrime forum, prompting the company to notify affected individuals by email.
According to the company's own statement, the breach stemmed from a security weakness rather than a ransomware intrusion: an authentication token that remained active on one of its subdomains allowed an attacker to query a standard API without authorization and pull customer records. No banking or payment data was reported to be involved.
The exposed data included:
- Last name and first name
- City of residence
- Telephone number
Bilov filed a criminal complaint on 7 May 2026 and notified the French data-protection authority (CNIL) on 6 May 2026 under Article 33 of the GDPR. The company says it has since implemented corrective technical and organizational measures to harden its information systems, and it warned customers to be vigilant against phishing and fraudulent calls or SMS messages exploiting the leaked contact details.
Sources
- bonjourlafuite.eu.orghttps://bonjourlafuite.eu.org/#Bilov-2026-05-07
- cyberattaque.orghttps://www.cyberattaque.org/boulangerie-ange-812-000-clients-exposes-apres-une-fuite-de-donnees/