Skip to content
Data breachResolved

Data leak at Sport 2000

Customer database of French sporting-goods retailer Sport 2000 — covering roughly 4.3 million people — was stolen and circulated on hacking forums and the dark web, exposing names, contact details, dates of birth and purchase history.

Victim
Sport 2000
records
4.4M

On 20 December 2024, the customer database of Sport 2000 — a French sporting-goods and apparel retail chain — was confirmed to be circulating freely on the dark web, the latest stage of a breach the company first disclosed in April 2024. The stolen records were first put up for sale on a Russian-language forum for around $2,000 before being released openly and later folded into a wider compilation of French breaches.

The data was exfiltrated from Sport 2000's customer systems and offered by a French-speaking actor tracked as "Chat Noir" / Epsilon. About 4,376,036 people were affected (roughly 3.2 million unique email addresses). No banking or payment-card data was reported in the leaked samples.

Exposed data categories included:

  • Full names and salutations
  • Email addresses
  • Postal addresses
  • Phone numbers
  • Dates of birth / ages
  • Customer codes and in-store purchase history

By late 2024 the dataset had been republished openly and was indexed in breach-notification services such as Have I Been Pwned, and it also appeared in a large open Elasticsearch trove compiling roughly 95 million records from multiple French breaches. Because the data has been widely copied, the combination of contact details and purchase history makes affected customers durable targets for phishing and identity fraud.

Sources

  1. cybernews.comhttps://cybernews.com/security/french-records-exposed-by-mysterious-data-hoarder/
  2. haveibeenpwned.comhttps://haveibeenpwned.com/Breach/Sport2000
  3. zataz.comhttps://www.zataz.com/la-base-de-donnees-sport2000-apparait-en-acces-libre-dans-le-dark-web/
  4. clubic.comhttps://www.clubic.com/actualite-525045-sport-2000-victime-d-une-cyberattaque-un-gang-de-pirates-francais-soupconne-de-vendre-les-donnees-de-4-millions-de-clients.html

Related incidents

Data breachUnknown

Leak at Electro Dépôt

Customer data attributed to French electronics retailer Electro Dépôt surfaced as one of at least 17 French breaches consolidated on an open database, exposing names, contact details, IP addresses and partial payment data.

Victim
Electro Dépôt
Data breachUnknown

Leak at Go Sport

In December 2024, French sporting-goods retailer Go Sport was named in dark-web claims of a customer data leak; the alleged fresh breach was debunked, with the data tracing back to a 'go-sport.com' file in an earlier compilation of past French breaches.

Victim
Go Sport
Data breachContained

Data leak at Top Achat

On 12 December 2024, French PC-hardware e-tailer Top Achat (LDLC group) disclosed a breach exposing customer names, email and postal addresses; no passwords or payment data were affected. The intrusion was linked to an earlier compromise at parent company LDLC.

Victim
Top Achat
Data breachOngoing

Leak at LDLC

On 10 December 2024, French high-tech e-commerce retailer LDLC disclosed a data breach exposing personal data (names, email addresses, phone numbers) of both its online and in-store customers — potentially several million people — though it stated no financial or sensitive data was affected.

Victim
LDLC