Skip to content
Vulnerability exploitContained

Leak at Maeva

In May 2026, Maeva — the holiday-rental brand of Pierre & Vacances-Center Parcs — disclosed a breach in which an attacker scraped up to ten years of booking data, exposing names, dates of birth, phone numbers and stay details for around 4.5 million customers across 1.6 million reservations.

Victim
Maeva

On 19 May 2026, Maeva — the holiday-rental brand of French tourism group Pierre & Vacances-Center Parcs (PVCP) — was confirmed as the victim of a large-scale data breach affecting its "La France du Nord au Sud" booking platform. PVCP first acknowledged the incident publicly around 15 May, and the group later detailed it in a customer-facing security notice.

The attacker exploited an Insecure Direct Object Reference (IDOR) flaw in the reservation platform, which allowed unauthorized access to booking records by manipulating object identifiers. Over a period of several weeks, the data was harvested through automated, large-scale scraping rather than a single intrusion. A person using the alias "ChimeraZ" claimed responsibility on a cybercrime forum, advertising roughly 900 MB of JSON data spanning around ten years of reservation history.

The exposed data covered approximately 4.5 million people across about 1.6 million reservations and included:

  • First and last names of guests
  • Dates of birth
  • Phone numbers
  • Reservation numbers and booking comments
  • Dates and locations of stays / accommodations booked

PVCP stated that no banking data, payment details or passwords were compromised; passwords were nonetheless reset as a precaution. The group said the vulnerability had been identified and patched, deployed additional technical safeguards, filed a criminal complaint, notified France's data-protection regulator (the CNIL), and opened a dedicated support line for affected customers.

Sources

  1. maeva.comhttps://www.maeva.com/fr-fr/information-securite
  2. optionfinance.frhttps://www.optionfinance.fr/info-financiere-en-continu/d/2026-05-18-pierre-vacances-center-parcs-touche-par-une-fuite-de-donnees.html
  3. cyberattaque.orghttps://www.cyberattaque.org/maeva-pierre-vacances-center-parcs-cyberattque-fuite-donnees/
  4. leto.legalhttps://www.leto.legal/news/pvcp-maeva-fuite-donnees-1-6-million-reservations-2026

Related incidents