Skip to content
Data breachContained

Leak at Leroy Merlin

In December 2025, French DIY retailer Leroy Merlin disclosed a cyberattack that exposed the loyalty-program data of several hundred thousand French customers, including names, contact details, postal addresses and dates of birth; no banking data or passwords were affected.

Victim
Leroy Merlin

On 3 December 2025, Leroy Merlin β€” the French home-improvement and gardening retail giant β€” disclosed that it had been the victim of a cyberattack exposing the personal data tied to its customer loyalty accounts. According to the company, several hundred thousand French customers were affected. The breach was limited to Leroy Merlin's French customer base and only concerned holders of a loyalty account.

The attack vector was not publicly detailed. Leroy Merlin stated that as soon as the incident was detected it took the necessary measures to block the unauthorised access and contain the breach, and that it continued to monitor its systems for any sign of misuse. France's data protection authority, the CNIL, was notified, and affected customers were emailed and warned to be vigilant against phishing attempts.

Exposed data categories included:

  • First and last name
  • Phone number
  • Email address
  • Postal address
  • Date of birth
  • Loyalty program information

The company emphasised that no banking information and no online account passwords were compromised, as those remained secured. At the time of disclosure no ransomware group had claimed responsibility, and Leroy Merlin reported no evidence that the stolen data had yet been leaked online or otherwise misused.

Sources

  1. leroymerlin.frhttps://www.leroymerlin.fr/faq-incident-donnees-clients/
  2. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/french-diy-retail-giant-leroy-merlin-discloses-a-data-breach/
  3. usine-digitale.frhttps://www.usine-digitale.fr/cybersecurite/leroy-merlin-victime-dune-cyberattaque-exposant-les-donnees-personnelles-de-plusieurs-centaines-de-milliers-de-clients.7V62D542CZALXABV5FIZGGY32I.html
  4. journaldugeek.comhttps://www.journaldugeek.com/2025/12/04/fuite-de-donnees-chez-leroy-merlin-comment-savoir-si-vous-etes-touches/

Related incidents

Data breachContained

Leak at Batterie de Portable

On 28 Dec 2025, French e-commerce retailer Batteriedeportable (Aubagne) disclosed a November cyberattack that exposed customer identity and contact data β€” names, dates of birth, postal/email addresses and phone numbers. It claims over a million European customers.

Victim
Batterie de Portable
Data breachUnknown

Leak at Nouvelle Lune

On 26 December 2025, a customer database from French online boutique Nouvelle Lune was leaked, exposing personal data for roughly 161 customers, including names, email and postal addresses, and order history.

Victim
Nouvelle Lune
Data breachUnknown

Leak at Parashop

On 17 December 2025, a leak of customer data from French parapharmacy retailer Parashop was disclosed, exposing personal records including full names, dates of birth and postal addresses.

Victim
Parashop