Skip to content
Credential stuffingContained

Leak at Companie de Transport Strasbourgeoise

In November 2024, the Compagnie des Transports Strasbourgeois (CTS) — Strasbourg's public transport operator — detected fraudulent logins to about 100 of its roughly 350,000 customer accounts via a credential-stuffing attack reusing passwords stolen in unrelated breaches.

Victim
Companie de Transport Strasbourgeoise

On 21 November 2024, the Compagnie des Transports Strasbourgeois (CTS) — the public transport operator for Strasbourg and its metropolitan area — emailed its entire customer base to warn that around one hundred customer accounts had been subject to abnormal access, which it had detected the same day.

The intrusions were the result of a credential-stuffing attack rather than a compromise of CTS systems. Usernames and passwords had been stolen in earlier, unrelated data breaches affecting other websites; because some customers had reused those same credentials for their CTS account, attackers were able to log in to the affected accounts. The breach therefore did not originate from CTS's own infrastructure.

The scope of exposure was limited. Roughly 100 of CTS's approximately 350,000 customer accounts were affected, and CTS stated that no banking details or identity documents were stored on its servers. The data potentially accessible was confined to customer-account information held in the affected profiles, such as:

  • Contact and account-profile details
  • Travel-pass / customer-account information

CTS notified all customers, advised affected users to change reused passwords, and pointed customers to France's official Cybermalveillance victim-assistance service. The incident was detected and contained quickly, with no evidence of a wider compromise of CTS infrastructure.

Sources

  1. france3-regions.franceinfo.frhttps://france3-regions.franceinfo.fr/grand-est/bas-rhin/strasbourg-0/fuite-de-donnees-des-comptes-clients-de-la-compagnie-des-transports-strasbourgeois-vises-par-des-acces-frauduleux-3065767.html

Related incidents

Credential stuffingContained

Leak at Picard

On 12 November 2024, French frozen-food retailer Picard disclosed a credential-stuffing attack that compromised the loyalty accounts of around 45,000 customers, exposing personal and loyalty-programme data; no banking data was affected and the company notified the CNIL.

Victim
Picard
Records
45.0K
Credential stuffingOngoing

Leak at France Travail

In late October 2025, France Travail — France's public employment agency — disclosed a breach in which attackers used credentials harvested by infostealer malware to access job-seeker accounts and exfiltrate sensitive personal, identity and financial data; about 16,479 affected records were catalogued.

Victim
France Travail