Skip to content
Data breachUnknown

10,000,000 O'Tacos customers affected by a data leak

On 27 January 2026, a database tied to O'Tacos' loyalty programme and mobile app surfaced for sale on a hacking forum: a 9 GB JSON dump of roughly 29 million user records, about 10 million with full identity details, across the French chain's international markets.

Victim
O'Tacos
records
10.0M

On 27 January 2026, O'Tacos — the French "French Tacos" fast-food chain operating more than 400 restaurants across France, Belgium, Morocco, Canada and other markets — was hit by a major leak of its international customer database, which appeared for sale on a hacking forum.

The exposed data came from the brand's loyalty programme and technical metadata generated by its mobile application. The dataset was offered as a 9 GB JSON dump containing roughly 29 million user records in total, of which about 10 million carried full identity details. The records were recent, with modifications timestamped through January 2026.

Exposed data categories reported include:

  • First and last names
  • Loyalty-programme account details
  • Technical metadata from the mobile app

Because the dump spans O'Tacos' international footprint, affected customers are spread across multiple countries. As of reporting, the breach was disclosed via French breach-tracking sources; the company's confirmation, the precise intrusion vector, and any regulatory or remediation response were not publicly established, so the status remains unknown.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-01-27-o-tacos
  2. frenchbreaches.comhttps://frenchbreaches.com/alertes/o-tacos-070e61496a4f

Related incidents