Bodyhit: 218,000 customers and 42,000 IBANs put up for sale after a cyberattack
On 23 April 2026, a threat actor using the alias 'undef' claimed to be selling a database from French electrostimulation fitness chain Bodyhit, exposing the personal and banking details of more than 218,000 customers, including over 42,000 IBANs.
- Victim
- Bodyhit
On 23 April 2026, Bodyhit — a French fitness chain built around electrostimulation (EMS) coaching studios — was named in a data-leak claim after a threat actor using the alias undef advertised a database said to belong to the company for sale online.
According to the listing, the dataset covers more than 218,000 customers and includes over 42,000 banking records (IBAN and BIC codes), making the leak especially sensitive given the direct exposure of payment details. As a chain that manages member subscriptions, the company holds extensive personal and financial data on its clientele.
The exposed data categories reportedly include:
- Customer ID and member code
- Full name, date of birth and gender
- Email address, phone number and emergency contact
- Postal address
- Customer category and date of last club visit
- IBAN and BIC banking details
As of the disclosure date, no official communication from Bodyhit or French authorities had confirmed the authenticity of the database, so the breach remains unverified. The presence of banking information nonetheless exposes affected customers to a heightened risk of targeted phishing, fraudulent transfers and identity theft.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/cyberattaque-bodyhit-218-000-clients-42-000-iban-fuite-donnee/
- frenchbreaches.comhttps://frenchbreaches.com/alertes/bodyhit-moburwy3rponouqkqal