Skip to content
Supply chainContained

Leak at Boulanger

On the night of 6-7 September 2024, French electronics retailer Boulanger suffered a data breach traced to a shared third-party delivery/IT provider, exposing the names, postal and email addresses and phone numbers of several hundred thousand customers; no banking data was affected.

Victim
Boulanger

On the night of 6-7 September 2024, Boulanger β€” a major French consumer-electronics retail chain β€” was hit by a cyberattack that exposed the personal data of several hundred thousand customers. The company disclosed the incident publicly on 8 September, stating that the compromised information related to deliveries and that no customer banking data was affected.

The breach was not isolated. In the same period, fellow French retailers Cultura and Truffaut reported very similar incidents, and reporting attributed the wave to a common external IT/delivery service provider used by the affected companies β€” making this a third-party (supply-chain) compromise rather than a direct intrusion of Boulanger's own systems.

Exposed data categories included:

  • Surname and first name
  • Email address
  • Postal (delivery) address
  • Phone number

A threat actor subsequently advertised a Boulanger-linked database of roughly 27.5 million log lines for sale, though security researchers questioned the authenticity and scope of that listing; Boulanger itself characterized the exposure as affecting several hundred thousand customers. The company said the incident had been contained, that its websites and apps were operating normally under heightened vigilance, and it warned customers to stay alert to phishing and delivery-themed fraud attempts using the leaked details.

Sources

  1. lemondeinformatique.frhttps://www.lemondeinformatique.fr/actualites/lire-piratage-de-boulanger-des-centaines-de-milliers-de-clients-touches-94654.html
  2. pointsdevente.frhttps://pointsdevente.fr/fil-info/2024-09-12-cyberattaques-les-clients-de-boulanger-cultura-truffaut-victimes-dune-fuite-de-donnees/
  3. usine-digitale.frhttps://www.usine-digitale.fr/article/cybersecurite-boulanger-victime-d-une-fuite-de-donnees-des-millions-de-francais-concernes.N2218196

Related incidents

Supply chainContained

Leak at Cultura

On 10 September 2024, French cultural-goods retailer Cultura disclosed that a breach at a shared third-party IT provider exposed the personal data of about 1.5 million customers, including names, contact details and order history; passwords and bank data were not affected.

Victim
Cultura
Records
1.5M
Supply chainContained

Leak at Jeu Jouet

French online toy retailer JeuJouet.com warned customers in April 2026 that its Magento e-commerce platform was compromised in a mass exploitation campaign, potentially exposing names, email addresses, account credentials and order data; no banking details were affected.

Victim
Jeu Jouet