812,000 Boulangerie Ange customers affected by a data leak
On 8 May 2026, French bakery chain Boulangerie Ange confirmed a data breach exposing the names, phone numbers and cities of around 812,000 customers registered on its digital services, after an exposed authentication token allowed API access to its database.
- Victim
- Boulangerie Ange
- records
- 812.0K
On 8 May 2026, Boulangerie Ange β a French bakery chain founded in Aix-en-Provence and operated by the Bilov group β confirmed a data breach affecting roughly 812,000 customers registered on its digital services. The leak had first been advertised on 29 April 2026 by a threat actor using the handle "odelpaso" on a cybercrime forum.
According to reporting on the incident, the breach stemmed from an active authentication token left exposed on a company subdomain, which let an attacker make unauthorized API calls and extract the customer database. No payment or banking information was included in the exposed dataset.
The data exposed covered:
- Last names and first names
- Phone numbers
- Cities of residence
Boulangerie Ange (via the Bilov group) acknowledged the incident and notified affected customers by email. Although no financial data was leaked, the exposed contact details put customers at heightened risk of phishing, fraudulent calls and SMS, spam, and cross-referencing with other breached databases.
Sources
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-05-08-boulangerie-ange
- cyberattaque.orghttps://www.cyberattaque.org/boulangerie-ange-812-000-clients-exposes-apres-une-fuite-de-donnees/