Leak at Orpi
In January 2026, a database from the French real-estate network Orpi's owner/tenant extranet surfaced online, exposing names, postal addresses, IBANs, rent receipts and extranet logins with passwords stored in plain text.
- Victim
- Orpi
On 23 January 2026, Orpi — one of France's largest cooperative real-estate agency networks — was hit by a data leak after a database extracted from its owner and tenant extranet began circulating online. The exposed records concern clients and tenants of the network and combine identity, contact, banking and account-credential data.
The most serious finding is that extranet account passwords were stored in plain text, meaning anyone with the dataset can read them directly. Combined with the leaked banking and tenancy information, this exposes affected individuals to identity theft, fraudulent direct-debit attempts and targeted phishing — and to account takeover elsewhere for anyone who reused their password.
Exposed data categories include:
- Full name (last name, first name)
- Postal address
- IBAN (bank account number)
- Rent receipts
- Extranet username
- Extranet password (stored in plain text)
The full scale of the leak — including the precise number of affected tenants and owners — has not been authoritatively confirmed, and the dataset was reported to be in circulation. Affected Orpi users should treat their extranet password as compromised, change it (and any reused passwords) immediately, and watch their bank statements for unauthorised transactions.
Sources
- howmation.comhttps://howmation.com/fr_FR/forum/41-cybersecurite-fuites-de-donnees/40-leak-orpi-22-janvier-2026
- itsense.frhttps://www.itsense.fr/fuites-donnees-premier-trimestre-2026/