Dark Web Leak Claims Target Colis Privé and Multiple Online Services
Dark web monitoring reports described unverified data leak claims involving several organizations, including French parcel delivery firm Colis Privé. One post on BreachForums allegedly offered an upload of 22,564,381 records attributed to Colis Privé, described as .jsonl files totaling ~4.1 GB; no specific threat actor attribution or company confirmation was cited, and the notice characterized the situation as informational while scope is assessed. If authentic, the scale and format of the dataset would materially increase risk of identity theft, credential stuffing, and targeted phishing against customers.
Separate dark web forum posts also alleged database exposures affecting JobsGO (Vietnam recruitment platform), MyVete (veterinary management platform), PIXPAY (Senegalese payment service), and Groupe Fondasol (France-based engineering). The claimed datasets reportedly include CV/personal records, and in some cases API credentials and employee metadata, with example figures including ~2.3 million records for JobsGO and ~5.57 million records for MyVete (verification not indicated). Across the claims, the primary business risk is downstream abuse of exposed personal and operational data for social engineering, recruitment fraud, and account takeover, rather than immediate exploitation of a specific software vulnerability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
MyVete ransom deadline is set for end of January
The actor behind the alleged MyVete leak reportedly set January 30, 2026 as the deadline for payment of a $100,000 ransom before selling the data. This marked an escalation from a leak claim to an extortion demand with a stated cutoff date.
UpGuard flags Colis Privé incident as informational
UpGuard published a notice on the alleged Colis Privé breach and categorized it as informational while the scope and exposed data types were still being assessed. The report noted potential downstream risks such as phishing, credential stuffing, unauthorized account access, and identity theft.
SOCRadar reports multiple new leak claims
SOCRadar's Dark Web Team published a roundup identifying new leak claims involving JobsGO, MyVete, PIXPAY, and Groupe Fondasol. The report said some samples were shared to support the allegations, but the claims remained unverified.
Employee dataset leak is alleged for Groupe Fondasol
A dark web post alleged that France-based Groupe Fondasol had an employee CSV dataset exposed containing records for 888 employees. The claimed data included contact details and access-related metadata that could support targeted social engineering.
Dark web claims surface against PIXPAY
A dark web leak claim alleged that Senegalese payment service PIXPAY exposed JWTs, API keys, access tokens, and database credentials. The actor used the LAPSUS$ name for attribution, but this was not independently verified.
Colis Privé breach claim is disclosed on BreachForums
On January 15, 2026, a BreachForums user allegedly uploaded a dataset tied to French parcel delivery service Colis Privé. The post claimed to contain 22,564,381 records in .jsonl files totaling about 4.1 GB, though the exposed data types and responsible actor were not confirmed.
MyVete data dump is allegedly posted
A dark web claim dated January 12, 2026 alleged that veterinary management platform MyVete had a data dump of about 5.57 million records totaling roughly 30 GB. The actor reportedly threatened to sell the data unless a $100,000 ransom was paid.
JobsGO leak claim emerges on dark web
A dark web post alleged that Vietnam-based recruitment platform JobsGO suffered a data leak in early January 2026 affecting about 2.3 million records. The claimed data reportedly included detailed personal and professional information that could enable phishing, recruitment fraud, and identity abuse.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dark Web Leak Claims Target Multiple Organizations, Including Salesfloor and Republic
Dark web monitoring reports surfaced multiple **alleged data leaks** affecting unrelated organizations, with several listings offering databases for sale or direct download. Reports claim **Republic (republic.com)** user data (~4.94M users) was listed for sale for **$2,400**, allegedly including names, emails, physical addresses, and phone numbers. Separate dark web listings also alleged exposure of **rueducommerce.fr** user data (linked in reporting to **Carrefour**) totaling ~2.17M records with similar PII, as well as alleged leaks involving **Dunzo** (~3.4M records) and **Menulux** (~93K records). Additional reporting highlighted a historical breach dataset for the **YouHack** forum (2013; ~107K users) containing usernames, emails, passwords, IPs, posts, and private messages, and a smaller exposure tied to **buylottoonline.com** (~38.5K email records). One of the most consequential claims involved **Salesfloor / People Powered E-Commerce (salesfloor.net)**, attributed in reporting to **LAPSUS$**, alleging theft of roughly **4 TB uncompressed** (1 TB compressed) data including **source code, logs, and customer information**, with potential downstream impact to retail brands using the platform. Separately from the dark-web-leak theme, other items in the set describe distinct vulnerability-driven risks rather than breach listings: **Zoom Node MMRs** command injection (**CVE-2026-22844**, CVSS 9.9) enabling arbitrary code execution in certain hybrid meeting deployments; **SmarterMail** auth bypass (**CVE-2026-23760**) enabling admin password reset via `force-reset-password` and potential RCE; **Vite** improper access control (**CVE-2025-31125**) enabling sensitive file exposure via query parameters such as `?inline&import` / `?raw&import` (noted as added to CISA KEV); and **Appsmith** password-reset token exposure (**CVE-2026-22794**) enabling account takeover, with internet-exposed instances identified via Shodan and remediation via upgrade to *Appsmith* 1.93. These vulnerability reports are separate from the dark web leak claims and should be tracked as independent patching priorities rather than as part of a single breach event.
Mar 21, 2026
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
Mar 21, 2026
HexDex Lists Stolen Customer and Operational Data From French Retailers
Threat actor **HexDex** has claimed breaches at two French e-commerce companies and is offering the allegedly stolen data for sale. One listing targets **Airsoft-Entrepot**, where the actor says it obtained more than 10 database files covering 2013 to 2026, including roughly **383,000 customer profiles**, **328,000 email addresses**, **243,000 phone numbers**, and **333,000 full address records**. The exposed material reportedly goes beyond customer PII to include **orders, invoices, supplier data, delivery history, accounting records, B2B orders, and warehouse or inventory information**, suggesting compromise of both customer-facing and back-office systems. A second listing targets **Allopneus**, a major French online tire retailer, with HexDex claiming to hold data spanning 2014 to 2026 for **453,299 customers** across **739,316 records**, including **513,089 phone numbers** and **453,299 email addresses**. The actor reportedly published proof links, sample records, and 1,000-line excerpts for both datasets while soliciting offers through underground channels. If authentic, the disclosures would expose large volumes of customer contact data and purchase-related information, while the Airsoft-Entrepot cache could also reveal sensitive supplier, financial, and logistics details that increase fraud, phishing, and business intelligence risks.
Mar 23, 2026