Skip to content
Credential stuffingContained

Leak at Picard

On 12 November 2024, French frozen-food retailer Picard disclosed a credential-stuffing attack that compromised the loyalty accounts of around 45,000 customers, exposing personal and loyalty-programme data; no banking data was affected and the company notified the CNIL.

Victim
Picard
records
45.0K

On 12 November 2024, Picard β€” the French frozen-food retailer β€” emailed roughly 45,000 members of its loyalty programme to warn them that their accounts had been accessed without authorisation. The company attributed the incident to a credential-stuffing attack: rather than breaching Picard's own databases, attackers reused usernames and passwords stolen in unrelated breaches to log into customer loyalty accounts where people had recycled the same credentials.

Picard said it found no intrusion into its central systems, indicating the compromise was limited to individual customer accounts rather than a backend database breach. Banking and payment data were not affected. The data exposed in the accessed accounts included:

  • Last name, first name and date of birth
  • Email address, postal address and phone number
  • Loyalty card number, loyalty points, discount vouchers
  • Order history, receipts, shopping lists and purchase preferences

The company reported the incident to France's data protection authority, the CNIL, reinforced its security systems and stepped up monitoring of suspicious login attempts on customer accounts. It advised affected customers to change their passwords immediately β€” especially anywhere they had reused them β€” and to be wary of phishing or other suspicious communications. The breach was one of a wave of attacks on French consumer brands in late 2024, following similar incidents at SFR and Free.

Sources

  1. clubic.comhttps://www.clubic.com/actualite-543425-cet-e-mail-des-surgeles-picard-risque-de-glacer-le-sang-de-ses-45-000-clients.html
  2. usine-digitale.frhttps://www.usine-digitale.fr/article/picard-victime-d-une-fuite-de-donnees-plusieurs-milliers-de-clients-concernes.N2222253
  3. linformaticien.comhttps://www.linformaticien.com/magazine/cybersecurite/62687-des-clients-de-picard-victimes-d-une-fuite-de-donnees.html
  4. economiematin.frhttps://www.economiematin.fr/alerte-fuite-donnees-clients-picard-piratage

Related incidents

Credential stuffingContained

Leak at Kiabi

In January 2025, French clothing retailer Kiabi disclosed a credential-stuffing attack on its secondhand site (secondemain.kiabi.com) that exposed the names, dates of birth, contact details and IBANs of about 20,000 customers.

Victim
Kiabi
Records
20.0K
Credential stuffingContained

Snowflake customer-account credential-stuffing campaign (UNC5537, 2024)

A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.

Victim
Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
Records
560.0M