Skip to content
Data breachContained

1,457,473 orders affected by claimed leak at Florajet

On 3 March 2026, French flower-delivery service Florajet confirmed unauthorised access to its B2B ordering tool after a criminal put 1,457,473 order records (2023-2026, ~136 GB) up for sale, exposing names, full postal addresses, ~952,000 phone numbers and intimate accompanying messages.

Victim
Florajet
records
1.5M

On 3 March 2026, Florajet β€” one of France's leading online flower-delivery networks β€” confirmed that an attacker had gained unauthorised access to its B2B ordering tool, after a corpus of 1,457,473 order records (roughly 136 GB, covering the 2023-2026 period) was put up for sale on a cybercrime forum.

The intrusion was reportedly enabled by compromised login credentials belonging to a partner florist, a weak link in the platform's supply chain. The attacker β€” operating under the alias HexDex, a threat actor that has repeatedly targeted French companies β€” was able to harvest order vouchers stored as PDF documents and exfiltrate them in bulk.

The exposed data included:

  • Sender and recipient first and last names
  • Complete postal delivery addresses (around 1.2 million)
  • Phone numbers (approximately 952,000 unique numbers)
  • Order and purchase details
  • The personal messages accompanying each bouquet β€” an unusually intimate category containing declarations of love, apologies and condolences

Florajet acknowledged the breach, blocked the malicious access, and said it would shorten the retention period for these documents. The intimate nature of the leaked messages, combined with names, addresses and phone numbers, raises a heightened risk of targeted phishing and fraud against affected customers and recipients.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-03-03-florajet
  2. generation-nt.comhttps://www.generation-nt.com/actualites/florajet-fuite-donnees-cyberattaque-rgpd-dark-web-2072025
  3. le-droit.frhttps://www.le-droit.fr/blog/fuite-donnees-florajet-piratage-rgpd-droits-victimes

Related incidents

Data breachOngoing

1,528 contacts at Nature & Cie, claimed leak

In late May 2026, a B2B commercial database attributed to French organic-food distributor Nature & Cie surfaced on a cybercriminal forum, exposing roughly 5,635 stores, over 1,500 professional contacts and around 1,500 sales-visit reports covering Biocoop, Naturalia and La Vie Claire partners.

Victim
Nature & Cie
Records
1.5K