Skip to content

Incidents from

2026

Data breachOngoing

Nintendo employee survey data stolen via third-party TinyPulse platform

Nintendo of America confirmed that threat actors stole internal employee survey data from TinyPulse, a third-party HR engagement platform it used, after the SHADOWBYT3$ group claimed to have exfiltrated about 859 MB of data and demanded a US$2 million ransom — while stressing that Nintendo's own systems and customer data were not affected.

Victim
Nintendo of America
Credential stuffingOngoing

FortiBleed: leaked dataset exposes VPN credentials for ~74,000 Fortinet firewalls

A dataset dubbed FortiBleed exposed valid Fortinet FortiGate VPN credentials — including plaintext passwords — for 73,932 firewall URLs across 194 countries, the product of a Russian-speaking crew that reused passwords from earlier breaches and infostealer logs rather than any new Fortinet vulnerability.

Victim
Organizations running Fortinet FortiGate firewalls worldwide
EspionageContained

UNC6508 PRC-nexus medical & defense research espionage campaign

Google's Threat Intelligence Group disclosed that PRC-nexus actor UNC6508 spent more than a year inside U.S. and Canadian medical, academic and military-health research environments, compromising legacy REDCap servers, deploying custom INFINITERED malware and abusing Google Workspace email compliance rules to silently exfiltrate research and defense data.

Victim
U.S. and Canadian medical, academic and military-health research institutions
Supply chainContained

OptinMonster, TrustPulse and PushEngage WordPress plugins backdoored in Awesome Motive CDN supply-chain attack

Attackers stole a CDN API key from Awesome Motive and tampered with JavaScript served to the OptinMonster, TrustPulse and PushEngage WordPress plugins, silently creating rogue administrator accounts and planting backdoors on sites whose logged-in admins loaded the malicious code.

Victim
Awesome Motive (OptinMonster, TrustPulse, PushEngage)
MalwareContained

152 'live wallpaper' Chrome extensions caught harvesting user data and faking Google search traffic

Socket's Threat Research Team uncovered a coordinated family of 152 new-tab 'live wallpaper' Chrome extensions, spread across 38 publisher accounts and three brands, that secretly logged user telemetry and laundered extension-generated visits into fake Google organic search traffic despite declaring they collected no data.

Victim
Google Chrome Web Store users
Supply chainOngoing

'Atomic Arch' supply-chain attack hijacks 400+ Arch Linux AUR packages to deploy a credential stealer and eBPF rootkit

Sonatype researchers uncovered 'Atomic Arch,' a supply-chain campaign in which attackers adopted hundreds of orphaned Arch User Repository packages and rewrote their build scripts to install a malicious npm package that drops a Linux credential stealer with optional eBPF rootkit capabilities.

Victim
Arch User Repository (AUR)
Data breachOngoing

FulcrumSec leaks Global Schools Foundation data, exposing 33,000+ children's and parents' passports

The extortion group FulcrumSec claimed it stole roughly 4.8 terabytes of data from Singapore-based Global Schools Foundation after exploiting database credentials left unchanged since a 2022 breach, leaking 33,088 passport numbers belonging to children and parents and around 9.4 million internal messages when ransom negotiations collapsed.

Victim
Global Schools Foundation
Data breachResolved

Atlas Menu data breach (2026)

In May 2026, the GTA V and CS2 cheat service Atlas Menu suffered a data breach. An attacker claimed to have gained access to all Atlas systems and published the service's database to a public GitHub repository.

Victim
Atlas Menu
Records
63.9K
Data breachResolved

BCD Travel data breach (2026)

In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses.

Victim
BCD Travel
Records
396.3K
Data breachOngoing

1,528 contacts at Nature & Cie, claimed leak

In late May 2026, a B2B commercial database attributed to French organic-food distributor Nature & Cie surfaced on a cybercriminal forum, exposing roughly 5,635 stores, over 1,500 professional contacts and around 1,500 sales-visit reports covering Biocoop, Naturalia and La Vie Claire partners.

Victim
Nature & Cie
Records
1.5K
Supply chainContained

Leak at Alan (via Almerys)

On 23 May 2026, French digital health insurer Alan warned members that a cyberattack on its third-party claims processor Almerys had exposed their personal data — names, dates of birth, social security numbers and insurance contract details — though payment, password and health data were spared.

Victim
Alan
Data breachResolved

Charter data breach (2026)

In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign.

Victim
Charter
Records
4.9M
Data breachUnknown

23,685 records: claimed leak at ATOA

A threat actor put a database from ATOA — a French real-estate tokenization and fractional-investment fintech — up for sale on a dark web forum, exposing roughly 23,685 user and financial records plus 326 full KYC archives containing passports, ID cards and banking details.

Victim
ATOA
Records
23.7K
Vulnerability exploitContained

Leak at Maeva

In May 2026, Maeva — the holiday-rental brand of Pierre & Vacances-Center Parcs — disclosed a breach in which an attacker scraped up to ten years of booking data, exposing names, dates of birth, phone numbers and stay details for around 4.5 million customers across 1.6 million reservations.

Victim
Maeva
Data breachOngoing

Leak at Once for all (via Actradis)

On 11 May 2026, Once For All disclosed unauthorized access to its Actradis B2B compliance platform, exposing professional contact data (names, professional emails, phone and contact details); a leaked database circulating since early May reportedly held about 305,000 records.

Victim
Once for all
Data breachOngoing

Leak at La France Insoumise

In May 2026, France's La France Insoumise party had data from its Action Populaire activist platform stolen and posted on a hacking forum, exposing some 120,000 email addresses, 20,000 phone numbers, postal addresses and member activity spanning 2017-2026.

Victim
La France Insoumise
Data breachContained

Leak at Bilov

In May 2026, Bilov — operator of the French Boulangeries Ange bakery chain — disclosed a data breach exposing the personal details (name, city, phone number) of around 812,000 customers after an active authentication token allowed unauthorized API access.

Victim
Bilov
Records
812.0K
Data breachResolved

Cushman & Wakefield data breach (2026)

In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with…

Victim
Cushman & Wakefield
Records
310.4K
Data breachContained

Leak at French Basketball Federation

In April 2026 the French Basketball Federation (FFBB) suffered a data breach after an attacker abused a compromised user account in its licensee-management tool, exposing identity and contact details of up to ~2 million licensees and ~900,000 legal representatives.

Victim
French Basketball Federation
Data breachOngoing

Leak at Interrail

A December 2025 cyberattack on Eurail B.V., operator of the Interrail and Eurail rail passes, exposed personal data of roughly 308,000 travellers — including names, contact details, dates of birth and passport numbers — which by 2026 was being sold on the dark web.

Victim
Interrail
Records
308.8K
Data breachRansom paid

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim
Instructure (Canvas LMS)
Loss
$10.0M
Records
275.0M
Data breachResolved

Reborn Gaming data breach (2026)

In April 2026, the gaming community Reborn Gaming suffered a data breach due to a vulnerability in cPanel and WebHost Manager (WHM). The breach exposed 126 unique email addresses along with IP addresses and Steam IDs. Reborn Gaming self-submitted the data to Have I Been Pwned.

Victim
Reborn Gaming
Records
126
Data breachContained

Acrimed: online shop hit by a cyberattack

On 29 April 2026, French media-criticism association Acrimed disclosed a cyberattack on its online shop that exposed customers' email addresses, encrypted passwords and order history; names, postal addresses, phone numbers and banking details were said to be unaffected.

Victim
Acrimed
Data breachResolved

Vimeo data breach (2026)

In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata.

Victim
Vimeo
Records
119.2K
Data breachResolved

CTT data breach (2026)

In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum. The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel.

Victim
CTT
Records
468.1K
Data breachUnknown

Leak at Céram Décor

On 25 April 2026, a confirmed data leak exposed customer personal data — names, email addresses, phone numbers, postal addresses and hashed passwords — from French ceramic and tile decoration retailer Céram Décor.

Victim
Céram Décor
Data breachContained

Leak at Agence Nationale des Fréquences

ANFR, France's national frequency agency, disclosed that an intrusion into its Radiomaritime online service exposed the personal data — names, postal addresses, phone numbers, emails and dates of birth — of roughly 330,000 users; a sample was put up for sale online.

Victim
Agence Nationale des Fréquences
Records
330.0K
Data breachContained

Data leak at Système U

In April 2026, French retail cooperative Système U disclosed a breach of its magasins-u.com loyalty portal in which attackers gained unauthorized access to customer accounts, exposing names, contact details and loyalty-card numbers but no banking data.

Victim
Système U
Data breachResolved

Udemy data breach (2026)

In April 2026, online training company Udemy was the victim of a “pay or leak” extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors.

Victim
Udemy
Records
1.4M
Data breachContained

Data leak at Magasins U - unspecified volume

In April 2026, French retail cooperative Magasins U notified loyalty-card holders that unauthorized access to its magasins-u.com customer area exposed personal data including names, contact details and loyalty-card numbers, though banking data was not affected.

Victim
Magasins U
Data breachResolved

ADT data breach (2026)

In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses.

Victim
ADT
Records
5.5M
Data breachResolved

Aman data breach (2026)

In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses.

Victim
Aman
Records
215.6K
Data breachContained

12 million people in the ANTS data leak

France Titres (ANTS), the French government agency issuing secure identity documents, disclosed a breach of its moncompte.ants.gouv.fr portal via an IDOR API flaw; officials confirmed 11.7 million accounts exposed (names, dates of birth, emails, addresses), while a hacker claimed up to 19 million records.

Victim
ANTS (France titres)
Records
11.7M
Data breachResolved

Canada Life data breach (2026)

In April 2026, Canada Life was the victim of a "pay or leak" extortion campaign by the ShinyHunters group. The group subsequently published the data which contained over 200k unique email addresses along with names, phone numbers, physical addresses and, in some cases, customer support tickets.

Victim
Canada Life
Records
237.8K
Data breachResolved

Pitney Bowes data breach (2026)

In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations.

Victim
Pitney Bowes
Records
8.2M
Data breachResolved

Carnival data breach (2026)

In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked.

Victim
Carnival
Records
7.5M
Data breachOngoing

Moulin Roty: customer data exposed after a cyberattack

On 18 April 2026 French toy and baby-goods brand Moulin Roty emailed customers to warn that a cyberattack on its shared Magento e-commerce platform may have exposed identity, contact, account-login, purchase-history and marketing data, though no compromise was confirmed and banking details were not affected.

Victim
Moulin Roty
Supply chainContained

Leak at Jeu Jouet

French online toy retailer JeuJouet.com warned customers in April 2026 that its Magento e-commerce platform was compromised in a mass exploitation campaign, potentially exposing names, email addresses, account credentials and order data; no banking details were affected.

Victim
Jeu Jouet
Data breachResolved

Kemper data breach (2026)

In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a "pay or leak" extortion campaign.

Victim
Kemper
Records
269.3K
Data breachResolved

Zara data breach (2026)

In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their "pay or leak" campaign.

Victim
Zara
Records
197.4K
Data breachResolved

Abrigo data breach (2026)

In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo…

Victim
Abrigo
Records
711.1K
Supply chainOngoing

Leak at IAE Grenoble (via AlumnForce)

In April 2026, alumni of IAE Grenoble were exposed in a breach of AlumnForce, the third-party platform managing its alumni network; the stolen dataset spanned ~2.7M profiles across 49 French institutions and included names, contact details and full professional/education histories.

Victim
IAE Grenoble
Data breachResolved

Marcus & Millichap data breach (2026)

In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group.

Victim
Marcus & Millichap
Records
1.8M
Data breachResolved

Mytheresa data breach (2026)

In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses.

Victim
Mytheresa
Records
84.1K
Data breachOngoing

DB Telecom: a 40k-customer database put up for sale

Around 10 April 2026, a threat actor put DB Telecom (Service Telecom) — a Marseille-based IP-telephony operator on the Orange/Or-Tel network — up for sale, leaking a database of roughly 41,470 customers and 2,835,372 records including names, contacts, plaintext passwords and internal emails.

Victim
DB Telecom
Records
2.8M
Supply chainOngoing

Leak at ENSAI Network (via AlumnForce)

ENSAI Network alumni data was exposed in the April 2026 breach of its platform provider AlumnForce, which leaked some 2.7 million student and graduate profiles from 49 French institutions — including names, emails, phone numbers, locations, career history and education details — now offered for sale on cybercrime forums.

Victim
ENSAI Network
Supply chainOngoing

Leak at Lilagora (via AlumnForce)

In April 2026, Lilagora — the University of Lille's alumni network — saw its members' data exposed in a breach of its third-party platform provider AlumnForce, part of a wider incident affecting 2.7 million profiles across 49 French institutions, with names, contact details and professional histories leaked.

Victim
Lilagora
Data breachResolved

McGraw Hill data breach (2026)

In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt. Attributed to a Salesforce misconfiguration, the company stated the incident exposed "a limited set of data from a webpage hosted by Salesforce on its platform".

Victim
McGraw Hill
Records
13.5M
Data breachResolved

7-Eleven data breach (2026)

In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers.

Victim
7-Eleven
Records
185.3K
Data breachResolved

My Lovely AI data breach (2026)

In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users. The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames.

Victim
My Lovely AI
Records
106.3K
Data breachResolved

LegionProxy data breach (2026)

In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases.

Victim
LegionProxy
Records
10.1K
Supply chainContained

Leak at Contrat d'intégration républicaine

France's OFII immigration agency notified signatories of the Contrat d'intégration républicaine that a January 2026 breach via a compromised subcontractor exposed the names, emails, phone numbers and postal addresses of roughly 2.1 million people.

Victim
Contrat d'intégration républicaine
Records
2.1M
Data breachResolved

Amtrak data breach (2026)

In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak. The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly.

Victim
Amtrak
Records
2.1M
Data breachContained

Data leak at La Quiberonnaise

In early April 2026, the French cannery La Quiberonnaise confirmed that unauthorized access to its systems exposed customer personal data — names, postal addresses, email addresses and phone numbers — with the company notifying affected clients by email and reporting the breach to the CNIL.

Victim
La Quiberonnaise
Data breachResolved

SongTrivia2 data breach (2026)

In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt…

Victim
SongTrivia2
Records
291.7K
Data breachResolved

Hallmark data breach (2026)

In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming…

Victim
Hallmark
Records
1.7M
Supply chainContained

Homair: customer data exposed after a cyberattack

On 31 March 2026, French camping and holiday-village operator Homair disclosed a data breach traced to a compromised third-party technical provider, exposing customers' names, email addresses, phone numbers and booking details (destination, stay dates, amount paid), while bank data, passwords and postal addresses were said to be unaffected.

Victim
Homair
Supply chainContained

Leak at La Mine Bleue (via Vivaticket)

On 31 March 2026, French tourist attraction La Mine Bleue notified customers that their personal data — names, postal code/country, email and purchase history — was exposed in the ransomware breach of its ticketing provider Vivaticket; no banking data was affected.

Victim
La Mine Bleue
Data breachUnknown

Leak at GDQuest

On 30 March 2026, a database from GDQuest — a French e-learning platform for the Godot game engine — surfaced on a hacking forum, exposing learners' email addresses, usernames/account slugs and the titles and prices of purchased courses.

Victim
GDQuest
Data breachContained

Le Petit Vapoteur: 3.3 million customers exposed

In late March 2026, French e-cigarette retailer Le Petit Vapoteur was hit by a data breach after a hacker using the alias 'undef' put its customer database up for sale, exposing names, emails, phone numbers, postal addresses and IP logs for a claimed 3.3 million customers and 599 employees spanning 2012-2026.

Victim
Le Petit Vapoteur
Records
3.3M
Data breachResolved

ZenBusiness data breach (2026)

In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform.

Victim
ZenBusiness
Records
5.1M
Data breachResolved

BreachForums Version 5 data breach (2026)

In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed. The incident exposed 340k unique email addresses along with usernames and argon2 password hashes.

Victim
BreachForums Version 5
Records
339.8K
Data breachUnknown

Leak at Les Champs Libres

On 26 March 2026, a breach at Les Champs Libres — the public cultural complex in Rennes — exposed user account data including names, email addresses, phone numbers and plain-text passwords.

Victim
Les Champs Libres
Data breachResolved

Addi data breach (2026)

In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised".

Victim
Addi
Records
34.5M
Data breachResolved

Sound Radix data breach (2026)

In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP. The incident impacted 293k unique email addresses and names.

Victim
Sound Radix
Records
293.0K
Supply chainContained

Leak at Crunchyroll

On 24 March 2026, anime streaming service Crunchyroll confirmed a data breach traced to a compromised third-party support vendor (Telus), exposing customer support-ticket data — names, emails, IP addresses and partial payment-card details — with a hacker claiming ~8M ticket records and ~6.8M unique email addresses.

Victim
Crunchyroll
Supply chainContained

Leak at Europa (European Commission)

In March 2026, the European Commission's Europa.eu web-hosting infrastructure was breached via a stolen AWS key (Trivy supply-chain compromise); ~91.7 GB of data covering 30+ EU entities — names, emails, email content and documents — was exfiltrated and leaked by ShinyHunters.

Victim
Europa (European Commission)
Data breachContained

62,511 records in the SIA data leak

In late March 2026, a hacker put up for sale data on 62,511 firearms registered in France's Système d'Information sur les Armes (SIA), exposing owners' names, postal addresses, emails, phone numbers, weapon details and transaction histories.

Victim
Système d'Information sur les Armes (SIA)
Records
62.5K
Vulnerability exploitContained

Leak at I-Cad

I-Cad, France's national dog, cat and ferret identification registry, disclosed in March 2026 that a September 2025 software vulnerability had allowed automated querying of its database, exposing users' email addresses and fuelling phishing campaigns against pet owners.

Victim
I-Cad
Data breachUnknown

109,302 CMF members: data leak claimed

On 20 March 2026, a database of the Confédération Musicale de France (CMF) — France's federation of amateur music ensembles and schools — was put up for sale by the actor HexDex, allegedly exposing 109,302 members including many minors, with identities, contact details, school records and disability notes.

Victim
Confédération Musicale de France (CMF)
Records
109.3K
Data breachContained

Data leak at Mingat

On 19 March 2026, French vehicle-rental company Mingat confirmed a data leak affecting its customers, notifying them of a security incident that exposed personal information held in its rental records.

Victim
Mingat
Supply chainOngoing

10,816 Canada Goose customers in a data leak

French customers of luxury outerwear brand Canada Goose were caught up in a data leak by the ShinyHunters extortion group, with 10,816 records in the France-related subset of a broader corpus of roughly 600,000 customer records traced to a third-party payment processor.

Victim
Canada Goose
Records
10.8K
Supply chainOngoing

Leak at Musée des Arts et Métiers

Disclosed on 18 March 2026, the Musée des Arts et Métiers was caught up in the Vivaticket supply-chain ransomware breach, exposing online shop and ticketing customers' names, email addresses, account details and order history.

Victim
Musée des Arts et Métiers
Supply chainContained

Leak at Bibliothèque Nationale de France

A March 2026 ransomware attack on the Bibliothèque Nationale de France's third-party online ticketing provider exposed the names and email addresses of users who had booked cultural events; banking data, handled by a separate vendor, was not affected.

Victim
Bibliothèque Nationale de France
Data breachResolved

Divine Skins data breach (2026)

In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email…

Victim
Divine Skins
Records
105.8K
Data breachOngoing

476,282 customers affected by a claimed leak at Intersport Rent

On 11 March 2026, a database belonging to INTERSPORT Rent — the ski- and snowboard-equipment rental arm of the Intersport sports retail group — was dumped on a hacker forum, exposing roughly 1.2 million rows covering about 476,282 unique customers, including names, emails, phone numbers, loyalty numbers and rental order histories.

Victim
Intersport Rent
Records
476.3K
Data breachUnknown

Leak at Pronote

A claimed leak of Pronote login credentials (email addresses and passwords) belonging to French students and parents was reported circulating for sale on the dark web; publisher Index Education stated its own systems were not breached, the credentials stemming from phishing and account theft.

Victim
Pronote
Data breachContained

Data leak at Vatel Capital

On 9 March 2026, French AMF-regulated asset manager Vatel Capital emailed its clients to disclose an accidental exposure of files that occurred between 21 February and early March 2026, affecting personal data held by the firm.

Victim
Vatel Capital
Data breachResolved

Baydöner data breach (2026)

In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords.

Victim
Baydöner
Records
1.3M
Data breachResolved

Aura data breach (2026)

In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected.

Victim
Aura
Records
903.1K
Supply chainOngoing

Data leak at Centre des Monuments Nationaux

In early March 2026, France's Centre des Monuments Nationaux disclosed a data leak stemming from a ransomware attack on its online ticketing provider, exposing visitors' emails, names, postal addresses, purchase history and hashed passwords, but no banking data.

Victim
Centre des Monuments Nationaux
Data breachUnknown

15,000 employees affected by claimed data leak at ANCT

On 4 March 2026, a threat actor claimed on a hacking forum to be selling a database tied to France's Agence Nationale de la Cohésion des Territoires (ANCT), allegedly exposing professional and contact details of around 15,000 employees and administrative contacts, with a sample posted as proof.

Victim
Agence Nationale de la Cohésion des Territoires (ANCT)
Data breachResolved

SUCCESS data breach (2026)

In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes.

Victim
SUCCESS
Records
253.5K
Data breachResolved

Woflow data breach (2026)

In March 2026, the AI-driven merchant data platform Woflow was named as a victim by the ShinyHunters data extortion group. The group subsequently published tens of thousands of files allegedly obtained from the company, comprising more than 2TB of data.

Victim
Woflow
Records
447.6K
Data breachResolved

Ameriprise data breach (2026)

In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure,…

Victim
Ameriprise
Records
502.6K
Data breachContained

Leak at Cloud Imperium Games

Cloud Imperium Games, developer of Star Citizen and Squadron 42, disclosed in March 2026 that a January attack on its backup systems gave intruders read-only access to player account data including names, usernames, dates of birth and contact details.

Victim
Cloud Imperium Games
RansomwareContained

Leak at Lisi

In early March 2026, French aerospace and automotive fastener manufacturer LISI Group was hit by the Qilin ransomware gang, which exfiltrated a limited set of corporate data — bank account/IBAN details, supply contracts, confidentiality agreements and employee information — from two ancillary sites.

Victim
Lisi
Data breachResolved

Leak at MDPH 92

In early March 2026, MDPH 92 — the Hauts-de-Seine disability services agency — accidentally exposed around 500 beneficiaries' email addresses by sending a mass post-cyberattack notice with recipients in CC instead of BCC.

Victim
MDPH 92
Records
500
Supply chainContained

Leak at Palais de la Porte Dorée

On 2 March 2026, the Palais de la Porte Dorée was among 40+ French cultural institutions affected by a ransomware attack on shared ticketing provider Vivaticket, potentially exposing visitors' names, contact details, dates of birth, purchase histories and encrypted passwords.

Victim
Palais de la Porte Dorée
Data breachContained

Leak at Paris Adult Courses Platform

On 2 March 2026, the City of Paris confirmed a data breach affecting the Cours d'Adultes de Paris (adult education) platform, exposing names, dates of birth, emails, postal addresses and phone numbers of users registered before May 2025; no passwords or banking data were affected.

Victim
Paris Adult Courses Platform
RansomwareUnknown

Data leak at Tactis

In early 2026, French digital-infrastructure consultancy Tactis was hit by the Qilin ransomware gang, which listed the firm on its leak site and threatened to publish exfiltrated internal data covering its telecom and smart-city projects for public and private clients.

Victim
Tactis
Data breachContained

Data leak at Union Nationale du Sport Scolaire

France's school-sport federation UNSS disclosed in late February 2026 that intruders accessed its OPUSS membership platform and leaked personal data and roughly 1.5 million ID photos of student athletes (11-18) on the darknet, spanning ~668,000 current and ~889,000 former members.

Victim
Union Nationale du Sport Scolaire
Data breachContained

3 million students: claimed data leak at UNSS #2

On 28 February 2026, the group DumpSec claimed it had exfiltrated about 65 GB of data and roughly 1.5 million student identity photos from the French school sports federation UNSS, after breaching its OPUSS intranet; names, birth dates, schools and contact details were exposed.

Victim
UNSS #2
Data breachContained

Leak at ESPCI

In late February 2026, ESPCI Paris (a PSL University engineering and research school) disclosed that an access-control flaw let unidentified actors harvest its internal directory, exposing identity and contact details of students, staff and external personnel; passwords were not affected.

Victim
ESPCI
Data breachContained

Leak at French Gymnastics Federation

In late February 2026, France's gymnastics federation (FFGym) disclosed a breach of its FFGym Licence system via a phished club account, exposing data on roughly 2.9 million current and former licensees registered since 2004.

Victim
French Gymnastics Federation
Records
2.9M
Supply chainContained

Leak at Sports and Cultural Federation of France

The Sports and Cultural Federation of France (FSCF) had the personal data of roughly 1.33 million members exposed after a third-party licence-management provider was compromised, leaking names, dates of birth, postal addresses, contact details and licence/membership records.

Victim
Sports and Cultural Federation of France
Records
1.3M
Data breachResolved

KomikoAI data breach (2026)

In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses.

Victim
KomikoAI
Records
1.1M
Data breachResolved

Lovora data breach (2026)

In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users’ display names and profile photos, along with other personal information collected through use of the app.

Victim
Lovora
Records
495.6K
Data breachContained

80,000 documents: claimed leak at Unis Cité

On 23 February 2026, the civic-service association Unis Cité was hit by a data breach exposing roughly 80,000 people and around 40 GB of data, including national ID cards, photos, IBANs and other sensitive documents on young volunteers, claimed by the DumpSec group.

Victim
Unis Cité
Records
80.0K
Data breachContained

Data leak at the French Badminton Federation

The French Badminton Federation disclosed that an unauthorized export from its internal Poona membership platform, traced to a compromised administrator account and discovered in September 2025, exposed personal data on roughly 300,000 licensed members, including names, dates of birth, contact details and parents' names.

Victim
French Badminton Federation
Records
300.0K
Supply chainOngoing

Claimed leak at MaSalleDeSport - unspecified volume

On 22 February 2026, a hacker known as "84City" claimed to have breached MaSalleDeSport, a CRM and management provider for 2,000+ French gyms (Basic-Fit, Fitness Park, ON AIR Fitness, L'Orange Bleue), exposing member names, phone numbers, SMS and addresses for a potential 1M+ people.

Victim
MaSalleDeSport (Basic-Fit, Fitness Park..)
Data breachUnknown

8,861 staff - data leak at the French Ministries of the Interior & Armed Forces

On 20 February 2026, a compilation of personal data covering 8,861 staff of the French Ministries of the Interior and Armed Forces — including names, dates of birth, contact details and internal identifiers — surfaced on underground forums, part of a wider aggregate of leaks affecting French public agents.

Victim
French Ministries of the Interior & Armed Forces
Records
8.9K
Data breachOngoing

2,393 officials affected by a Police, Gendarmerie, CNIL data leak

On 20 February 2026, a compiled database exposing 2,393 French state agents — from the Police, Gendarmerie, Defence ministry, DGSI, DGSE, Customs and the CNIL (including 86 CNIL staff) — was published on underground forums, leaking identity, contact and professional details aggregated from hundreds of prior breaches.

Victim
Police, Gendarmerie, CNIL (officials)
Records
2.4K
Data breachUnknown

Leak at FFCK and Paddle Sports

In February 2026, the French Canoe Kayak and Paddle Sports Federation (FFCK) had a member database covering decades of licence-holders leaked and offered for sale, exposing the names, dates of birth, postal addresses, phone numbers, emails and club/licence details of roughly 393,374 people.

Victim
FFCK and Paddle Sports
Records
393.4K
Data breachContained

Leak at the French Ministry of Sports, Youth and Community Life

In February 2026, the French Ministry of Sports, Youth and Community Life had data on roughly 450,000 candidates exfiltrated from its FORÔMES sports/youth training platform after a legitimate training organisation's account was compromised, exposing names, contact details and dates and places of birth.

Victim
French Ministry of Sports, Youth and Community Life
Records
450.0K
Data breachContained

450,000 FOROM users hit by a data leak

On 19 February 2026 the French Ministry of Sports disclosed that data on roughly 450,000 candidates was exfiltrated from its FORÔMES training and diploma platform after a legitimate training-organisation account was compromised, exposing names, contact details and dates and places of birth.

Victim
French Ministry of Sports (FOROM platform)
Records
450.0K
Data breachContained

Leak at Direction Générale des Finances Publiques

France's tax authority (DGFiP) disclosed on 18 Feb 2026 that an attacker who hijacked a civil servant's credentials accessed FICOBA, the national bank-account registry, exposing identity, address, IBAN and in some cases tax-ID data for about 1.2 million account holders.

Victim
Direction Générale des Finances Publiques
Records
1.2M
Data breachUnknown

Leak at Espace CE

In February 2026, personal data belonging to thousands of employees was found circulating on the dark web after a breach of Espace CE (Espace CSE), a French platform managing benefits for Works Councils; exposed fields included names, contact details, dates of birth and hashed passwords.

Victim
Espace CE
Data breachContained

1.2 million bank accounts: data leak at FICOBA

France's Ministry of the Economy and Finance disclosed that an intruder who usurped a civil servant's credentials had illegitimately accessed the national bank-account registry FICOBA from late January 2026, exposing the IBAN/RIB details, identity, address and in some cases tax ID of holders of about 1.2 million accounts.

Victim
FICOBA (French Ministry of the Economy and Finance)
Records
1.2M
Supply chainContained

358,000 Réglo Mobile (Leclerc) customers affected by a data leak

On 18 February 2026, Réglo Mobile — the E.Leclerc/SFR-backed mobile virtual operator — disclosed that a subcontractor breached from 13 February exposed data on about 358,000 customers, including identity, contact details, dates of birth, PUK codes, call records and partial banking data, with the database offered for sale by actor "84City".

Victim
Réglo Mobile (Leclerc)
Records
358.0K
Data breachResolved

Quitbro data breach (2026)

In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users’ years of birth, responses to questions within the app and their last recorded relapse time.

Victim
Quitbro
Records
22.9K
Supply chainContained

Data leak at Voyage Privé - upcoming bookings exposed

Voyage Privé, the French flash-sale travel platform, confirmed in February 2026 that a compromised third-party partner exposed reservation data for customers with upcoming trips — including names, country of residence, emails, phone numbers and, in some cases, passport numbers — fuelling a wave of WhatsApp phishing.

Victim
Voyage Privé
Data breachOngoing

14,753 people affected by a claimed leak at EPITA

On 15 February 2026, the Lapsus$ group listed a database allegedly stolen from French engineering school EPITA on BreachForums, claiming records on 14,753 students and staff including names, email addresses, graduation years and profile photos.

Victim
EPITA (École Pour l'Informatique et les Techniques Avancées)
Records
14.8K
Data breachResolved

CarGurus data breach (2026)

In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings,…

Victim
CarGurus
Records
12.5M
Supply chainOngoing

Leak at Grain de Malice (via Socloz)

Customer data of French womenswear retailer Grain de Malice was exposed in February 2026 through a breach of its omnichannel retail provider Socloz, leaking names, email addresses and phone numbers as part of a dataset of up to ~31 million records.

Victim
Grain de Malice
Data breachContained

3,600 Gustave-Auto customers affected by a claimed data leak

Gustave-Auto, a French automotive services platform (vehicle convoyage, fleet management and repairs), disclosed in February 2026 that an access anomaly exposed partner data — names, postal and email addresses, phone numbers, IBAN/BIC banking details and SIRET/VAT numbers — with a tracker claim citing around 3,600 records.

Victim
Gustave-Auto
Records
3.6K
Data breachContained

Cyberattack at Les Restos du Cœur

On 11 February 2026, French food-aid charity Les Restos du Cœur suffered a cyberattack on an internal system, exposing the personal data of its employees and volunteers, including names, roles, departments, email addresses and phone numbers.

Victim
Les Restos du Cœur
Data breachResolved

Odido data breach (2026)

In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days.

Victim
Odido
Records
6.1M
Data breachContained

Leak at Commune de Bourg-Achard

The town hall of Bourg-Achard (Eure, Normandy) disclosed a cyberattack dating to 29 January 2026 that led to a data leak, with municipal room-reservation records among the information exposed; the CNIL, gendarmerie and ANSSI/Normandie Cyber were notified.

Victim
Commune de Bourg-Achard
Supply chainContained

Data leak at Safran Group: supply chain exposed

In February 2026, a database tied to French aerospace and defense group Safran surfaced on a hacking forum, exposing roughly 718,716 order records — names, emails, phone numbers, ERP references and logistics data — leaked through a third-party provider rather than Safran's own systems.

Victim
Safran Group
Records
718.7K
Data breachContained

Leak at La Carte Avantage Jeune

A January 2026 breach of Info Jeunes Bourgogne-Franche-Comté's Carte Avantages Jeunes platform exposed the personal data of roughly 283,000 cardholders, including names, dates of birth, addresses, phone numbers and identity documents, later put up for sale on the dark web.

Victim
La Carte Avantage Jeune
Data breachUnknown

Data leak at Prozon, volume not specified

In February 2026, French company Prozon disclosed a data breach affecting its customers after an attacker gained unauthorised access to one of its infrastructure tools; the company confirmed the incident and notified France's data-protection regulator, the CNIL, though the volume of affected records was not specified.

Victim
Prozon
Data breachContained

Data leak at Sumsub

In February 2026, identity-verification (KYC) provider Sumsub disclosed a 2024 breach — undetected for ~18 months — in which an attacker reached a customer-support environment and exposed the names, email addresses and phone numbers of clients of crypto and fintech platforms it serves.

Victim
Sumsub
Data breachContained

Leak at the French Office for Biodiversity

In early February 2026 the French Office for Biodiversity (OFB) disclosed that an intrusion into its national hunting-licence application exposed personal data of licence candidates, applicants and holders — including full identity, contact details, nationality and licence numbers.

Victim
French Office for Biodiversity
Data breachContained

Leak at French Table Tennis Federation

The French Table Tennis Federation (FFTT) disclosed a cyberattack in which a compromised account was used to bulk-extract licence-holder records — names, dates and places of birth, nationality, licence numbers and contact details for an estimated 210,000–254,000 members; no banking or health data was affected.

Victim
French Table Tennis Federation
Data breachContained

Leak at French Sailing Federation

In early February 2026, France's national sailing federation (FFVoile) disclosed a data breach of its licence-management platform via a compromised club account, exposing personal data of several hundred thousand licensees including names, birthdates, addresses, emails, phone numbers and disability status.

Victim
French Sailing Federation
Data breachOngoing

Leak at the City of Paris

A leaked file from the City of Paris's municipal adult-education platform (Cours municipaux pour adultes) exposed the personal data of 320,292 registered users, including names, dates of birth, postal addresses, phone numbers and email addresses; no passwords or banking data were involved.

Victim
City of Paris
Records
320.3K
Data breachResolved

Toy Battles data breach (2026)

In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.

Victim
Toy Battles
Records
1.0K
Data breachOngoing

Leak at ADMR

On 5 February 2026, the threat group RavenSec claimed a breach of France's ADMR home-care network, leaking member data — names, email and postal addresses and organisation details — with over 10,000 people initially affected and a claimed underlying database of millions.

Victim
ADMR
Data breachUnknown

813,983 FFRandonnée members - claimed data leak

On 5 February 2026, the French Hiking Federation (FFRandonnée) was named in a claimed data leak said to expose the personal records of 813,983 members, part of the 2026 wave of breaches hitting French sports federations through shared licensee-management systems.

Victim
French Hiking Federation
Records
814.0K
Data breachUnknown

Data leak at Protexia France

In early February 2026, Protexia France — the legal-protection insurance subsidiary of Allianz France — was reported to have suffered a data breach exposing personal information belonging to its policyholders and contacts.

Victim
Protexia France
Supply chainContained

828,000 stop-points exposed in data leak at Loxam

On 4 February 2026, French equipment-rental group Loxam disclosed a breach of a third-party delivery-planning system that exposed roughly 60 GB of logistics data — 94,735 delivery routes and about 828,000 geolocated stop-points covering 2020-2026, plus customer, driver and vehicle details.

Victim
Loxam
Data breachContained

377,418 jobseekers - data leak at Choisir le service public

France's state recruitment portal Choisir le service public disclosed in early February 2026 a breach exposing the application profiles of 377,418 candidates after attackers abused a compromised manager account; names, contact details, birth dates and career data were leaked and offered for sale.

Victim
Choisir le service public (Gouv.fr)
Records
377.4K
Data breachContained

697,313 Substack records exposed in data leak

Substack disclosed in February 2026 that an unauthorized third party scraped its systems, exposing roughly 697,313 user records including email addresses, phone numbers, names, user and Stripe IDs, and profile metadata; passwords and financial data were not affected.

Victim
Substack
Records
697.3K
Data breachUnknown

Leak at French Army

In late January 2026, a hacker claimed to have exfiltrated 2,971 files (about 4.5 GB, including 1,533 PDFs) from the French Army (Armée de Terre) via a compromised account, with documents marked 'Diffusion Restreinte' (restricted distribution) and internal technical guides.

Victim
French Army
Data breachUnknown

21,647 people affected by a data leak at Inria

Disclosed on 31 January 2026, a confirmed data leak at France's Inria research institute exposed personal records of about 21,647 staff and collaborators from Inria, IRISA and partner research units, including names, dates of birth, postal addresses and household details.

Victim
Inria (Institut National de Recherche en Informatique et en Automatique)
Records
21.6K
Data breachContained

Leak at Code Rousseau

In late January 2026, French driving-education company Codes Rousseau disclosed unauthorized access to its Easysystème platform, exposing learner identity and contact details, ID photos, signatures and NEPH driving-licence numbers; ~30,000 records were later put up for sale.

Victim
Code Rousseau
Data breachUnknown

Leak at OpQuast

On 30 January 2026, a data leak at Opquast — the French web-quality assurance and certification company based in Mérignac — exposed the email addresses of around one hundred people.

Victim
OpQuast
Data breachResolved

Provecho data breach (2026)

In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed.

Victim
Provecho
Records
712.9K
Data breachOngoing

Leak at 11 real estate agencies

On 28 January 2026, a leak of roughly 1.18 million files (500+ GB) affecting 11 French real estate agencies — including Marteau Immobilier (Orpi), AFG Immobilier and Trenta Immobilier — was put up for sale on a cybercrime forum, exposing IDs, IBANs, contracts and credentials of an estimated 20,000+ owners, tenants and co-owners.

Victim
11 real estate agencies
Data breachUnknown

Leak at Puteaux Medical Imaging Centre

On 28 January 2026, patient personal data from the Centre d'Imagerie Médicale de Puteaux — a radiology and medical imaging centre in the Hauts-de-Seine — was exposed in a confirmed data breach, including names, dates of birth, contact details and appointment history.

Victim
Puteaux Medical Imaging Centre
Data breachResolved

Figure data breach (2026)

In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth.

Victim
Figure
Records
967.2K
Data breachUnknown

Leak at Le CNAM

A dataset tied to the Conservatoire National des Arts et Métiers (CNAM), the French public higher-education institution, was reported leaked around 28 January 2026, exposing personal records for roughly 10,000 people including names, contact details, dates of birth and job information.

Victim
Le CNAM
Data breachUnknown

Leak at Lovys

On 28 January 2026, a data leak was claimed against Lovys, a French 100% digital neo-insurer, allegedly exposing customer records; the scale and exact data categories remain unverified.

Victim
Lovys
Data breachUnknown

Data leak at UGSEL

On 28 January 2026, a dataset exposing personal details of roughly 600 students linked to UGSEL — the French Catholic-schools sports federation — surfaced online, including names, gender, dates of birth and class/category information.

Victim
UGSEL
Supply chainUnknown

Data leak at Wemind (via Allianz)

On 28 January 2026, a data leak affecting Wemind, the French neo-insurer for freelancers and small businesses, exposed members' contact details — names, postal addresses, email addresses and phone numbers — through its Allianz insurance/back-office channel.

Victim
Wemind
Data breachUnknown

Leak at French Sports for All Federation

On 25 January 2026, the Fédération Française Sports pour Tous saw the personal data of 1,493 of its members exposed, including names, postal addresses, phone numbers, member status, affiliated club, qualifications and activities.

Victim
French Sports for All Federation
Records
1.5K
Data breachUnknown

Leak at Sciences Po

On 25 January 2026, a SQL dump of internal databases belonging to Sciences Po — the Paris Institute of Political Studies — surfaced online, exposing data held by the higher-education institution as part of a broader wave of French data leaks that month.

Victim
Sciences Po
Data breachResolved

CarMax data breach (2026)

In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.

Victim
CarMax
Records
431.4K
Data breachResolved

Edmunds data breach (2026)

In January 2026, the automotive research and car-shopping platform Edmunds was listed by the ShinyHunters hacking group as having been breached. Data purportedly obtained in the incident was later published publicly and included 178k unique email addresses, usernames, passwords, IP addresses, phone…

Victim
Edmunds
Records
177.9K
Data breachContained

950,000 people affected by data leak at FFESSM

On 24 January 2026, France's underwater diving federation FFESSM disclosed a personal-data breach after unauthorised access to one of its IT systems exposed identity and contact details of members and licence holders, with roughly 950,000 people affected and data offered for sale on the dark web.

Victim
FFESSM (French Federation of Underwater Studies and Sports)
Records
950.0K
Data breachUnknown

Leak at Guiot de Bourg

On 24 January 2026, a customer database from French silver-jewelry brand Guiot de Bourg covering some 90,000 e-commerce accounts surfaced online, exposing names, emails, dates of birth, hashed passwords and order/payment metadata.

Victim
Guiot de Bourg
Data breachUnknown

Leak at Movida

Customer data from French vehicle-rental company Movida was exposed in a breach disclosed on 24 January 2026, including names, contact details and bank account numbers (IBANs).

Victim
Movida
Data breachUnknown

Leak at Panorama Banques

On 24 January 2026, a database attributed to French bank-comparison and credit-brokerage service Panorama Banques (Panorabanques) surfaced online, exposing personal, contact and detailed financial-profile data on roughly 2.34 million customers.

Victim
Panorama Banques
Records
2.3M
Supply chainUnknown

Leak at French Fencing Federation

On 23 January 2026, the French Fencing Federation (FFE) had its licensee database leaked as part of a wave of attacks on French sports federations, exposing members' names, contact details, postal addresses, nationality and licence/club information.

Victim
French Fencing Federation
Data breachContained

Leak at French Hunting Federation

On 23 Jan 2026 the Fédération Nationale des Chasseurs disclosed a breach of its hunting-permit validation portal, exposing names, dates of birth, postal/email addresses, phone numbers, federal IDs and licence details of roughly 1.4 million hunters.

Victim
French Hunting Federation
Records
1.4M
Data breachOngoing

1,200,000 people exposed in data leak at FFVolley

The French Volleyball Federation (FFVolley) confirmed a breach of its membership database affecting roughly 1.2 million licensees, with about 23 GB of highly sensitive files — including national ID cards, passports and birth certificates — exfiltrated and offered for sale.

Victim
French Volleyball Federation (FFVolley)
Records
1.2M
Data breachUnknown

Leak at French Firefighters Federation

On 23 January 2026, the French Firefighters Federation suffered a data breach exposing the personal records of roughly 822,449 firefighters, including names, email addresses, phone numbers and postal addresses.

Victim
French Firefighters Federation
Records
822.4K
Data breachUnknown

Leak at Grand Froid

On 23 January 2026, a customer database from French frozen-food home-delivery company Grand Froid (Saint-Nabord, Vosges) surfaced online, exposing customers' names, postal addresses and order dates.

Victim
Grand Froid
Data breachOngoing

Leak at Orpi

In January 2026, a database from the French real-estate network Orpi's owner/tenant extranet surfaced online, exposing names, postal addresses, IBANs, rent receipts and extranet logins with passwords stored in plain text.

Victim
Orpi
Data breachUnknown

Data leak at Too Easy

On 23 January 2026, a data leak attributed to Too Easy was reported, exposing customer personal data including names, email addresses, phone numbers and IP addresses. The full scale of the incident has not been publicly confirmed.

Victim
Too Easy
Data breachUnknown

Data leak at Valorissimo

Disclosed on 23 January 2026, a leak from Valorissimo — the French B2B new-build real estate marketplace owned by Bouygues Immobilier — exposed account data of platform users, including logins, email addresses, names, phone numbers, postal addresses and company affiliations.

Victim
Valorissimo
Data breachContained

Data leak at Waltio

In January 2026, French crypto-tax platform Waltio disclosed a breach exposing data from around 50,000 users — email addresses and 2024 tax-report summaries (gains/losses and year-end balances) — followed by an extortion attempt the company refused to pay.

Victim
Waltio
Records
50.0K
Data breachContained

1,416,000 records in the FNC and OFB data leak

In January 2026, the French National Hunters Federation (FNC) and the French Office for Biodiversity (OFB) suffered linked data breaches exposing personal data of roughly 1.4 million hunting-permit holders, with a 27 GB dataset offered for sale on the dark web.

Victim
French National Hunters Federation (FNC) & OFB
Records
1.4M
Data breachContained

822,499 FNSPF members affected by data leak

Around 822,499 members of France's National Firefighters Federation (FNSPF) had their personal data exposed in a January 2026 leak tied to a wider campaign of French federation breaches, with names, dates of birth, postal and email addresses and phone numbers harvested and resold on underground forums.

Victim
French National Firefighters Federation (FNSPF)
Records
822.5K
Data breachContained

Claimed leak at École nationale supérieure d'arts et métiers (volume not specified)

On 21 January 2026, French engineering grande école ENSAM (Arts et Métiers) disclosed a personal-data breach resulting from external malicious activity, exposing students' names, social security numbers, scholarship decisions and amounts, and work-stoppage dates; the total volume was not specified.

Victim
École nationale supérieure d'arts et métiers (ENSAM)
Data breachContained

Leak at ENSAM

ENSAM, a French public engineering school (Arts et Métiers), reported a data breach caused by a malicious external act, exposing students' names, social security numbers, scholarship award decisions and amounts, and sick-leave dates.

Victim
ENSAM
Data breachUnknown

Leak at ConseilJuridique.net

On 20 January 2026, a data leak affecting ConseilJuridique.net — a French online legal-consultation platform connecting individuals with lawyers — was reported, exposing customer account data; the precise scale and exposed fields were not publicly detailed.

Victim
ConseilJuridique.net
RansomwareUnknown

Claimed data leak at Delko - Ransomware

Delko, a French automotive repair and spare-parts franchise network, was hit by the Sinobi ransomware group around December 2025; the gang published the company on its leak site on 5 January 2026, with the claim relayed to affected customers and publicly on 20 January 2026.

Victim
Delko
Data breachContained

Leak at Info Jeunes Bourgogne Franche-Comté

In January 2026, Info Jeunes Bourgogne Franche-Comté, the regional youth information service running the Carte Avantages Jeunes, had identity data on some 282,906 cardholders stolen and offered for sale on the dark web; exposed fields were limited to identification and contact details.

Victim
Info Jeunes Bourgogne Franche-Comté
Records
282.9K
Data breachUnknown

Leak at Lire Demain

On 15 January 2026, French children's and educational book publisher Lire Demain (Auzou group) suffered a data breach exposing the personal details and order history of around 4,616 customers.

Victim
Lire Demain
Data breachContained

Leak at Eurail

In January 2026, Eurail B.V. — operator of the Interrail and Eurail rail-pass schemes — disclosed a data breach exposing personal and passport details of customers, with up to ~309,000 travellers reportedly affected and stolen data later offered for sale on the dark web.

Victim
Eurail
RansomwareOngoing

Data leak at Zurflüh-Feller

The Akira ransomware group listed French roller-shutter component manufacturer Zurflüh-Feller as a victim in early 2026, threatening to publish around 66 GB of stolen corporate data, including employee identity documents, financials, contracts and NDAs.

Victim
Zurflüh-Feller
Data breachUnknown

Leak at Blackstore

On 12 January 2026, French streetwear and sneaker retailer Blackstore had a customer database leaked exposing the personal and order details of 101,979 people, including names, email addresses, phone numbers, store locations and order records.

Victim
Blackstore
Records
102.0K
Data breachOngoing

Leak at Instagram

In January 2026 a dataset of about 17.5 million Instagram records — usernames, full names, email addresses, phone numbers and partial location data — went up for sale on a dark-web forum, reportedly harvested via a 2024 API scraping leak.

Victim
Instagram
Records
17.5M
Supply chainOngoing

Leak at monlogicielmedical.com

Breach of the MonLogicielMedical (MLM) practice software by Cegedim Santé, disclosed to affected doctors in early January 2026, exposing patient administrative records — name, date of birth, address, social-security scheme — for up to 11–15 million patients via compromised doctor accounts.

Victim
monlogicielmedical.com
Data breachUnknown

Claimed leak at ACRV.FR (web agency)

On 10 January 2026, a threat actor claimed a data leak at French digital agency ACRV.FR, alleging it had exfiltrated archives and databases tied to several client sites the agency hosts or maintains; the claim is unverified and the scale is unconfirmed.

Victim
ACRV.FR (web agency)
Data breachResolved

Betterment data breach (2026)

In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an…

Victim
Betterment
Records
1.4M
Data breachContained

561,502 licence holders affected by data leak at FFME

In January 2026 the French Federation of Mountaineering and Climbing (FFME) disclosed a data breach in which a fraudulently used member account gave illegitimate access to contact data — names, dates of birth, addresses, licence types — for its licence holders, a leak tracked at 561,502 records.

Victim
French Federation of Mountaineering and Climbing (FFME) #2
Records
561.5K
Data breachUnknown

599,797 licence holders: claimed data leak at FSGT

In January 2026, the Fédération Sportive et Gymnique du Travail (FSGT), a French workers' multisport federation, was hit by a claimed data leak exposing the personal records of its licence holders, with the claim referencing a database of roughly 600,000 accounts.

Victim
Workers' Sports and Gymnastics Federation (FSGT)
Records
599.8K
Data breachContained

Leak at EasyCash

A threat actor put a customer database stolen from second-hand retailer EasyCash up for sale on a hacking forum, exposing roughly 14 million records — names, dates of birth, postal addresses, phone numbers and email addresses — apparently extracted via a compromised internal/partner account.

Victim
EasyCash
Data breachContained

393,374 members affected in the data leak at FFCK

On 7 January 2026, a database of the French Canoe-Kayak Federation (FFCK) holding 31 years of member records was leaked, exposing the personal data of 393,374 members, including 392,892 postal addresses, 212,342 phone numbers and 158,434 unique emails.

Victim
French Canoe-Kayak Federation (FFCK)
Records
393.4K
Supply chainContained

599,797 FFRS licence holders affected by data leak

Roughly 600,000 licence holders of France's Roller and Skateboard Federation (FFRS) had their personal data exposed after the Rolskanet membership-management platform run by a shared third-party provider was breached, leaking names, contact details, and birth information.

Victim
French Roller and Skateboard Federation (FFRS) #2
Records
599.8K
Data breachResolved

Panera Bread data breach (2026)

In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses.

Victim
Panera Bread
Records
5.1M
Data breachContained

78,133 members affected by claimed data leak at FFPLUM

On 8 January 2026 the French Microlight Federation (FFPLUM) disclosed that an attacker had fraudulently accessed an administrator account on its licence-management platform, exposing the personal data of roughly 78,000 members, including names, dates of birth, postal addresses, emails and phone numbers.

Victim
French Microlight Federation (FFPLUM)
Records
78.1K
Supply chainUnknown

133,297 members affected by Lions Clubs of France data leak

In early January 2026, a member database of the Fondation des Lions de France (Lions Clubs of France) was published on BreachForums, exposing 133,297 deduplicated individuals — including full civil status, home addresses, phone numbers and profile photos — in a leak traced to the MyAssoc club-management platform.

Victim
Lions de France Foundation (Lions Clubs of France)
Records
133.3K
Data breachContained

Data leak at DCE Conseil and partners (prisons, armed forces, luxury)

French engineering consultancy DCE Conseil suffered a breach after an employee's cloud account was compromised with stolen credentials, exposing roughly 844 GB of sensitive technical files — including plans of prisons, a military base and luxury and corporate clients — later offered for sale on BreachForums.

Victim
DCE Conseil (Various partners: prisons, armed forces, luxury, etc.)
Data breachOngoing

800,000 records in Adecco data leak

In early January 2026, staffing agency Adecco was hit by a data leak after a threat actor put a database of roughly 800,000 candidate profiles — including about 750,000 CVs with names, contact details and work histories — up for sale, claiming extraction from an internal Adecco tool.

Victim
Adecco
Records
800.0K
Data breachContained

Data leak at AgroParisTech

In January 2026, AgroParisTech — France's leading graduate school of agronomy and life sciences — suffered a cyberattack in which an intruder claimed to have exfiltrated around 211 GB of data, exposing HR and personal records of staff, students and external contributors.

Victim
AgroParisTech
Supply chainOngoing

2.1 million: data leak at OFII / ANEF

On 1 January 2026, a database of around 2.1 million records belonging to France's OFII / ANEF "Étrangers en France" immigration portal was put up for sale on BreachForums, exposing foreign nationals' identities, contact details, family situation and residence-permit data after a subcontractor was compromised.

Victim
OFII / ANEF ("Étrangers en France" portal – French Ministry of the Interior)
Records
2.1M