Skip to content
Data breachUnknown

MediaVacances: 256,000 invoices exposed in a data leak

On 18 May 2026, MediaVacances, a French peer-to-peer vacation-rental platform, had a database of roughly 256,000 customer invoices spanning 2005 to 2026 published on a cybercriminal forum, exposing names, addresses, payment details and listing data.

Victim
MediaVacances

On 18 May 2026, MediaVacances — a French peer-to-peer vacation-rental platform (mediavacances.com) — was hit by a large data leak after a threat actor using the alias ChimeraZ published a stolen database on a cybercriminal forum.

The leaked archive contained roughly 256,000 invoices, totalling about 188 MB in JSON format. The records span an unusually long period, with some invoices dating back to 2005 and others as recent as May 2026 — over two decades of the platform's commercial history. The data concerns property owners and advertisers who listed rentals on the site, as well as their associated transactions.

The exposed records included:

  • Names and postal addresses
  • Invoice references and payment dates
  • Transaction amounts
  • Service and subscription types
  • Property listing numbers
  • Advertisement display durations

The exact intrusion vector has not been established, and the full authenticity of the published files has not been officially confirmed. This leak forms part of a broader campaign by ChimeraZ against French tourism platforms, which has also targeted brands such as Maeva, Pierre & Vacances, Center Parcs and Gîtes de France. No public response from MediaVacances had been reported at the time of disclosure, leaving the status of the incident unknown.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/media-vacances-256-000-clients-exposes-dans-une-fuite-de-donnees/

Related incidents