Leak at Chronopost
In December 2025, a 680 MB dataset on ~860,000 Chronopost customers — names, emails and parcel details scraped from the La Poste Pickup relay-point network — was published on BreachForums; the data covered shipments from spring 2025.
- Victim
- Chronopost
- records
- 860.0K
On 20 December 2025, Chronopost — the express-parcel subsidiary of France's La Poste group — was hit by the public disclosure of a large customer dataset on the BreachForums cybercrime forum. A threat actor published a 680 MB JSON file said to contain the personal data of roughly 860,000 people, claiming the records had never circulated before and came directly from their own extraction.
The attacker said the data was harvested by scraping Chronopost's "Pickup" relay-point systems — the network used to deliver and collect parcels at local drop-off points — rather than through a direct intrusion into back-end servers. This points to insufficiently protected web interfaces or APIs that allowed mass automated collection of shipment and recipient information. The exposed records covered shipments handled between roughly 25 February and 10 April 2025.
Exposed data categories included:
- First and last names
- Email addresses
- Parcel tracking/reference numbers
- Parcel details (dimensions, barcodes)
- Pickup point names and locations
Chronopost confirmed the incident and linked it to a vulnerability it had identified and "actively addressed" in spring 2025, in line with applicable regulations. While the underlying flaw was said to have been remediated at the time, the December 2025 mass publication renewed the exposure for affected customers, who face a heightened risk of highly credible phishing and SMS-based (smishing) scams. This event is distinct from the separate January 2025 Chronopost breach that affected around 210,000 customers.
Sources
- generation-nt.comhttps://www.generation-nt.com/actualites/chronopost-fuite-donnees-pickup-piratage-colis-2068262
- kulturegeek.frhttps://kulturegeek.fr/news-344103/chronopost-pirate-donnees-860-000-francais-fuite
- zataz.comhttps://www.zataz.com/chronopost-plus-de-trois-millions-de-donnees-personnelles-en-fuite/