i-Run: the leak of 1.2 million customers does not come from their database
In May 2026 a threat actor using the alias lowiq advertised a database of roughly 1,223,520 records attributed to French running-gear e-tailer i-Run, but the company investigated and determined the data did not originate from its own systems.
- Victim
- i-Run
On 4 May 2026, i-Run β a French online retailer specialising in running and endurance-sports equipment (i-run.fr) β was named in a dataset put up for sale on a cybercrime forum by a threat actor using the alias lowiq. The listing, priced at around $400, claimed to contain roughly 1,223,520 customer records and was advertised as having been obtained in April 2026.
The sample circulated by the seller included the following categories of personal data:
- Full names
- Email addresses
- Phone numbers
- Postal addresses
- Dates of birth
i-Run investigated the claim by reviewing its access logs and comparing the leaked sample against its own customer base. The company found no evidence of suspicious access to its infrastructure and concluded that the dataset did not originate from its systems: only a small fraction of the contacts (around 3%) matched its records, addresses and postal codes contained inconsistencies, and the sample included dates of birth β a field i-Run does not collect from its customers.
The incident appears to involve data that was misattributed to i-Run or recompiled from other sources rather than a genuine breach of the retailer's databases. No confirmed compromise of i-Run's environment was established, though the public association of the brand with the leak still exposed named individuals to a heightened risk of phishing and fraud.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/i-run-plus-de-12-million-de-clients-exposes-dans-une-fuite-de-donnees/