Skip to content
Data breachContained

Cetelem: customer email addresses exposed after a cyberattack

Cetelem, the consumer-credit brand of BNP Paribas Personal Finance, confirmed a cyberattack on 20 April 2026 that exposed the email addresses of several hundred thousand customers; the company says no passwords, banking or payment data were compromised.

Victim
Cetelem

On 20 April 2026, Cetelem β€” the consumer-credit and financing brand of BNP Paribas Personal Finance β€” suffered a cyberattack that compromised the email addresses of a portion of its customer base. The company disclosed the incident in early May, notifying affected customers and reporting the breach to the CNIL, France's data-protection regulator.

According to the company, the exposure was limited to email addresses. BNP Paribas Personal Finance stated that no other personal data was affected β€” specifically that passwords, banking details and payment information were not compromised. The breach is reported to have touched several hundred thousand accounts, out of a French customer base numbering in the millions; no exact figure has been published.

Data exposed:

  • Customer email addresses

The technical cause and attack vector have not been disclosed publicly. Cetelem warned customers to be vigilant against phishing, as the leaked addresses can be used to craft convincing fraudulent messages impersonating the brand in an attempt to extract banking details, identity documents or login credentials.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/cetelem-les-adresses-email-des-clients-exposees-apres-une-cyberattaque/
  2. incyber.orghttps://incyber.org/article/cetelem-victime-fuite-donnees-centaines-milliers-adresses-e-mail-derobees/
  3. presse-citron.nethttps://www.presse-citron.net/cyberattaque-chez-cetelem-des-milliers-de-francais-cibles-etes-vous-concerne-par-la-fuite/

Related incidents

Data breachUnknown

23,685 records: claimed leak at ATOA

A threat actor put a database from ATOA β€” a French real-estate tokenization and fractional-investment fintech β€” up for sale on a dark web forum, exposing roughly 23,685 user and financial records plus 326 full KYC archives containing passports, ID cards and banking details.

Victim
ATOA
Records
23.7K