Skip to content
Credential stuffingContained

Leak at Kiabi

In January 2025, French clothing retailer Kiabi disclosed a credential-stuffing attack on its secondhand site (secondemain.kiabi.com) that exposed the names, dates of birth, contact details and IBANs of about 20,000 customers.

Victim
Kiabi
records
20.0K

On 14 January 2025, Kiabi — a major French clothing retailer — disclosed that its secondhand resale site, secondemain.kiabi.com, had been hit by a credential-stuffing attack detected on 7 January. The attackers used login/password pairs leaked in unrelated breaches to break into customer accounts on the platform en masse via automated bots.

By gaining access to the accounts, the criminals were able to harvest personal and partial banking information for roughly 20,000 customers. The breach was confined to the secondhand site and did not affect Kiabi's main e-commerce platform.

The exposed data included:

  • Last name and first name
  • Date of birth
  • Postal address and contact details
  • IBAN (where customers had registered one)

Kiabi stated that full bank details (RIB) and identity documents were not compromised, as those are held by its payment partner Lemonway and are not accessible from customer accounts. In response, the company masked IBANs in customer accounts, forced a reset of all customer passwords, and raised the minimum password length to 14 characters. The same wave of credential-stuffing attacks was linked by researchers to a similar incident at Showroomprivé days earlier.

Sources

  1. usine-digitale.frhttps://www.usine-digitale.fr/article/kiabi-touche-par-une-cyberattaque-les-coordonnees-bancaires-de-20-000-clients-derobees.N2225770
  2. franceinfo.frhttps://www.franceinfo.fr/internet/securite-sur-internet/cyberattaques/le-site-de-seconde-main-de-kiabi-a-ete-victime-d-une-cyberattaque-ciblant-les-donnees-de-20-000-clients_7015898.html
  3. linformaticien.comhttps://www.linformaticien.com/magazine/cybersecurite/62924-kiabi-victime-d-une-attaque-par-credential-stuffing.html
  4. moneyvox.frhttps://www.moneyvox.fr/actu/101612/des-iban-voles-suite-a-une-cyberattaque-sur-un-site-web-de-kiabi

Related incidents

Credential stuffingContained

Leak at Picard

On 12 November 2024, French frozen-food retailer Picard disclosed a credential-stuffing attack that compromised the loyalty accounts of around 45,000 customers, exposing personal and loyalty-programme data; no banking data was affected and the company notified the CNIL.

Victim
Picard
Records
45.0K
Credential stuffingOngoing

Leak at France Travail

In late October 2025, France Travail — France's public employment agency — disclosed a breach in which attackers used credentials harvested by infostealer malware to access job-seeker accounts and exfiltrate sensitive personal, identity and financial data; about 16,479 affected records were catalogued.

Victim
France Travail