1,457,473 orders affected by claimed leak at Florajet
On 3 March 2026, French flower-delivery service Florajet confirmed unauthorised access to its B2B ordering tool after a criminal put 1,457,473 order records (2023-2026, ~136 GB) up for sale, exposing names, full postal addresses, ~952,000 phone numbers and intimate accompanying messages.
- Victim
- Florajet
- records
- 1.5M
On 3 March 2026, Florajet β one of France's leading online flower-delivery networks β confirmed that an attacker had gained unauthorised access to its B2B ordering tool, after a corpus of 1,457,473 order records (roughly 136 GB, covering the 2023-2026 period) was put up for sale on a cybercrime forum.
The intrusion was reportedly enabled by compromised login credentials belonging to a partner florist, a weak link in the platform's supply chain. The attacker β operating under the alias HexDex, a threat actor that has repeatedly targeted French companies β was able to harvest order vouchers stored as PDF documents and exfiltrate them in bulk.
The exposed data included:
- Sender and recipient first and last names
- Complete postal delivery addresses (around 1.2 million)
- Phone numbers (approximately 952,000 unique numbers)
- Order and purchase details
- The personal messages accompanying each bouquet β an unusually intimate category containing declarations of love, apologies and condolences
Florajet acknowledged the breach, blocked the malicious access, and said it would shorten the retention period for these documents. The intimate nature of the leaked messages, combined with names, addresses and phone numbers, raises a heightened risk of targeted phishing and fraud against affected customers and recipients.
Sources
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-03-03-florajet
- generation-nt.comhttps://www.generation-nt.com/actualites/florajet-fuite-donnees-cyberattaque-rgpd-dark-web-2072025
- le-droit.frhttps://www.le-droit.fr/blog/fuite-donnees-florajet-piratage-rgpd-droits-victimes