99,671 people: claimed data leak at Lagrange Vacances
On 19 May 2026 a threat actor known as ChimeraZ claimed to have leaked a database of French holiday-rental operator Lagrange Vacances, allegedly exposing booking records for more than 44,000 holidaymakers, reportedly via an IDOR vulnerability.
- Victim
- Lagrange Vacances
- records
- 44.0K
On 19 May 2026, Lagrange Vacances — a French holiday-residence and seasonal-rental operator running properties across France and Europe — was named in a data-leak claim posted to a cybercrime forum. The actor, who goes by ChimeraZ and has been tied to several previous breaches in the French tourism and seasonal-rental sector, advertised a database said to relate to the operator's bookings.
According to the claim, the dataset concerns more than 44,000 people and was published in JSON format. ChimeraZ attributed the compromise to an IDOR (Insecure Direct Object Reference) vulnerability — exploited through a compromised professional account — which can let an authenticated user reach records they should not see simply by altering identifiers in requests or URLs.
The exposed data is reported to center on holiday reservations and stays, including:
- Holidaymakers' names and contact details
- Arrival and departure dates and property/accommodation details
- Occupant information, services purchased and pricing
- Free-text booking comments, which may reveal travel habits, periods of absence from home, and personal preferences
The breach remains unconfirmed: as of reporting, no independent verification of the exact scope of the claimed compromise was available, and Lagrange Vacances had not publicly confirmed the incident. The widely circulated tracker headline of 99,671 entries appears to reflect raw record rows, whereas independent reporting puts the number of distinct people affected at over 44,000.
Sources
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-05-19-lagrange-vacances
- cyberattaque.orghttps://www.cyberattaque.org/vacances-lagrange-plus-de-44-000-vacanciers-touches-par-une-fuite-de-donnees/
- x.comhttps://x.com/DailyDarkWeb/status/2056789105460011516