Leak at Kiabi
In January 2025, French clothing retailer Kiabi disclosed a credential-stuffing attack on its secondhand site (secondemain.kiabi.com) that exposed the names, dates of birth, contact details and IBANs of about 20,000 customers.
- Victim
- Kiabi
- records
- 20.0K
On 14 January 2025, Kiabi — a major French clothing retailer — disclosed that its secondhand resale site, secondemain.kiabi.com, had been hit by a credential-stuffing attack detected on 7 January. The attackers used login/password pairs leaked in unrelated breaches to break into customer accounts on the platform en masse via automated bots.
By gaining access to the accounts, the criminals were able to harvest personal and partial banking information for roughly 20,000 customers. The breach was confined to the secondhand site and did not affect Kiabi's main e-commerce platform.
The exposed data included:
- Last name and first name
- Date of birth
- Postal address and contact details
- IBAN (where customers had registered one)
Kiabi stated that full bank details (RIB) and identity documents were not compromised, as those are held by its payment partner Lemonway and are not accessible from customer accounts. In response, the company masked IBANs in customer accounts, forced a reset of all customer passwords, and raised the minimum password length to 14 characters. The same wave of credential-stuffing attacks was linked by researchers to a similar incident at Showroomprivé days earlier.
Sources
- usine-digitale.frhttps://www.usine-digitale.fr/article/kiabi-touche-par-une-cyberattaque-les-coordonnees-bancaires-de-20-000-clients-derobees.N2225770
- franceinfo.frhttps://www.franceinfo.fr/internet/securite-sur-internet/cyberattaques/le-site-de-seconde-main-de-kiabi-a-ete-victime-d-une-cyberattaque-ciblant-les-donnees-de-20-000-clients_7015898.html
- linformaticien.comhttps://www.linformaticien.com/magazine/cybersecurite/62924-kiabi-victime-d-une-attaque-par-credential-stuffing.html
- moneyvox.frhttps://www.moneyvox.fr/actu/101612/des-iban-voles-suite-a-une-cyberattaque-sur-un-site-web-de-kiabi