Skip to content
Data breachContained

Data leak at Système U

In April 2026, French retail cooperative Système U disclosed a breach of its magasins-u.com loyalty portal in which attackers gained unauthorized access to customer accounts, exposing names, contact details and loyalty-card numbers but no banking data.

Victim
Système U

On 24 April 2026, Système U — the French retail cooperative behind the Super U, Hyper U, U Express and Utile supermarket brands — began notifying customers that its magasins-u.com loyalty portal had been hit by a malicious cyberattack. The cooperative detected suspicious activity and confirmed that an external attacker had obtained unauthorized access to a number of customer loyalty accounts.

The intrusion targeted the online loyalty space rather than payment systems. Reporting points to automated, large-scale attempts to log into accounts (consistent with credential-stuffing-style abuse), after which Système U reinforced its anti-bot protections and added technical barriers to block fraudulent reconnection attempts. No attack method was officially named by the company.

Exposed personal data reportedly included:

  • First and last name, plus civility and professional/customer status
  • Email address and postal address
  • Phone number
  • Loyalty (Carte U) card number

Système U stated that no banking data was compromised — no card numbers, IBANs or payment information were affected. The cooperative notified France's data-protection regulator, the CNIL, within the GDPR 72-hour window, and urged customers to change their magasins-u.com password and to reset their four-digit Carte U PIN in-store with ID. The main residual risk is targeted phishing using the leaked contact details.

Sources

  1. economiematin.frhttps://www.economiematin.fr/cyberattaque-magasin-u-clients
  2. generation-nt.comhttps://www.generation-nt.com/actualites/cyberattaque-super-u-donnees-personnelles-fuite-phishing-2074508
  3. thesiteoueb.nethttps://www.thesiteoueb.net/actualite/amp-article-9494-cyberattaque-chez-super-u-des-comptes-clients-de-l-espace-magasins-u-com-compromis.html

Related incidents

Data breachOngoing

1,528 contacts at Nature & Cie, claimed leak

In late May 2026, a B2B commercial database attributed to French organic-food distributor Nature & Cie surfaced on a cybercriminal forum, exposing roughly 5,635 stores, over 1,500 professional contacts and around 1,500 sales-visit reports covering Biocoop, Naturalia and La Vie Claire partners.

Victim
Nature & Cie
Records
1.5K