Data leak at Synbird
In November 2025, Synbird — the SaaS provider handling municipal appointment bookings for around 1,300 French communes — disclosed a breach in which an attacker abused a weakly-secured PDF export to exfiltrate residents' contact details and appointment information.
- Victim
- Synbird
On 18 November 2025, Synbird — the SaaS platform that handles online appointment bookings (notably civil-registry and ID-document slots) for roughly 1,300 French municipalities — disclosed a data breach affecting residents across its town-hall clients. Because Synbird acts as a subcontractor to the communes, the incident cascaded into a supply-chain exposure touching local governments nationwide, including towns such as La Rochelle, Martigues and several in Brittany.
The intrusion took place between 24 and 26 October 2025 and was detected and blocked on 26 October. An attacker logged into a municipal agent's Synbird account — reportedly using credentials harvested from an earlier, unrelated leak — and then discovered that the appointment-list PDF export feature was less strictly secured than other data-access paths. Using it, the attacker generated and downloaded roughly fifty files per municipality, covering appointments created between 8 and 26 October 2025.
The exposed data was limited to information entered when booking an appointment:
- First and last name
- Email address
- Phone number
- Postal address
- Appointment date, time, location and purpose
Synbird states that no passwords, identity-document images or financial data were compromised. The company notified the CNIL and ANSSI on 27 October 2025, patched the export vulnerability, and rolled out additional controls including request rate-limiting, IP filtering and two-factor authentication, with an ANSSI-qualified audit planned for early 2026. No fraudulent use of the data had been detected at the time of disclosure.
Sources
- france3-regions.franceinfo.frhttps://france3-regions.franceinfo.fr/bretagne/finistere/quimper/vol-massif-de-donnees-en-bretagne-au-moins-cinq-communes-touchees-l-enquete-s-accelere-voici-ce-que-l-on-sait-3252205.html
- synbird.comhttps://www.synbird.com/fr/faq-protection-des-donnees/
- banquedesterritoires.frhttps://www.banquedesterritoires.fr/fuite-de-donnees-dans-1300-communes-les-prestataires-en-cause