Le Petit Vapoteur: 3.3 million customers exposed
In late March 2026, French e-cigarette retailer Le Petit Vapoteur was hit by a data breach after a hacker using the alias 'undef' put its customer database up for sale, exposing names, emails, phone numbers, postal addresses and IP logs for a claimed 3.3 million customers and 599 employees spanning 2012-2026.
- Victim
- Le Petit Vapoteur
- records
- 3.3M
On 30 March 2026, Le Petit Vapoteur β one of France's largest online e-cigarette and vaping retailers β became the target of a large-scale data breach after a threat actor advertised its entire customer database for sale on a cybercriminal forum.
The company's technical teams reportedly detected signs of intrusion on internal tools around 20 March 2026. A few days later, a hacker using the pseudonym "undef" offered what they claimed to be the complete database for sale, covering roughly 14 years of records spanning 2012 to 2026 β effectively the firm's entire commercial history. The exact intrusion vector was not publicly confirmed.
The exposed data, according to the seller, included:
- Customer names, email addresses and phone numbers
- Postal addresses
- Browsing histories and connection logs, including IP addresses
- Employee data: personal details, job titles and contact information
The seller claimed the leak affected 3,307,087 customers and 599 employees. Le Petit Vapoteur stated that passwords and banking details were not compromised, and disputed the scale, asserting that the actual impact concerned less than 2% of its customer base. Even so, the breadth and 14-year depth of the data raise a heightened risk of targeted phishing and identity theft for affected individuals.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/le-petit-vapoteur-33-millions-de-clients-exposes/
- nophi.shhttps://nophi.sh/blog/petit-vapoteur-fuite-3-millions-clients-donnees
- frenchbreaches.comhttps://frenchbreaches.com/alertes/le-petit-vapoteur-mnanmz23cl3a0gosyom