Dark Web Leak Claims Target Multiple Organizations, Including Salesfloor and Republic
Dark web monitoring reports surfaced multiple alleged data leaks affecting unrelated organizations, with several listings offering databases for sale or direct download. Reports claim Republic (republic.com) user data (~4.94M users) was listed for sale for $2,400, allegedly including names, emails, physical addresses, and phone numbers. Separate dark web listings also alleged exposure of rueducommerce.fr user data (linked in reporting to Carrefour) totaling ~2.17M records with similar PII, as well as alleged leaks involving Dunzo (~3.4M records) and Menulux (~93K records). Additional reporting highlighted a historical breach dataset for the YouHack forum (2013; ~107K users) containing usernames, emails, passwords, IPs, posts, and private messages, and a smaller exposure tied to buylottoonline.com (~38.5K email records).
One of the most consequential claims involved Salesfloor / People Powered E-Commerce (salesfloor.net), attributed in reporting to LAPSUS$, alleging theft of roughly 4 TB uncompressed (1 TB compressed) data including source code, logs, and customer information, with potential downstream impact to retail brands using the platform. Separately from the dark-web-leak theme, other items in the set describe distinct vulnerability-driven risks rather than breach listings: Zoom Node MMRs command injection (CVE-2026-22844, CVSS 9.9) enabling arbitrary code execution in certain hybrid meeting deployments; SmarterMail auth bypass (CVE-2026-23760) enabling admin password reset via force-reset-password and potential RCE; Vite improper access control (CVE-2025-31125) enabling sensitive file exposure via query parameters such as ?inline&import / ?raw&import (noted as added to CISA KEV); and Appsmith password-reset token exposure (CVE-2026-22794) enabling account takeover, with internet-exposed instances identified via Shodan and remediation via upgrade to Appsmith 1.93. These vulnerability reports are separate from the dark web leak claims and should be tracked as independent patching priorities rather than as part of a single breach event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
Dark web seller advertised auction of 1,000 credit cards
SOCRadar reported on 2026-01-27 that a threat actor was auctioning 1,000 credit cards from multiple regions, claiming a 60% validity rate. The listing stated the auction would end on 2026-02-28.
Axtria source code and internal repositories were allegedly leaked
A dark web post reported by SOCRadar on 2026-01-27 claimed Axtria had suffered a breach exposing proprietary source code and internal development repositories. The allegedly leaked material included analytics-related components and infrastructure or deployment configurations.
SOCRadar reported new dark web posts for Axtria, Salesfloor, and Republic
On 2026-01-27, SOCRadar said its Dark Web Team observed new underground posts alleging an Axtria source code leak, a LAPSUS$-attributed Salesfloor breach, and a Republic user database sale. The report largely reinforced and expanded on existing claims around Salesfloor and Republic while introducing Axtria as a newly alleged victim.
Menulux customer data leak was disclosed
On 2026-01-26, dark web monitoring identified a reported Menulux data leak affecting about 93,000 customer records. The exposed information was described as including full names, phone numbers, and physical addresses.
FAU data leak was publicly disclosed
FAU Erlangen-Nürnberg was publicly reported on 2026-01-25 as having suffered a data leak tied to the earlier claimed September 2025 breach. The disclosure said student data and internal source code had been exposed.
Dunzo leak claims surfaced on dark web
On 2026-01-25, reports emerged alleging exposure of a Dunzo database containing approximately 3.4 million records. The data was described as including user email addresses, phone numbers, and full names, though authenticity was still being verified.
Salesfloor breach claims surfaced and were attributed to LAPSUS$
A security incident involving Salesfloor was publicly reported on 2026-01-22, with claims that LAPSUS$ accessed internal systems and exposed a large dataset. The alleged leak included source code, system logs, customer information, and roughly 4TB of uncompressed data affecting about 1 million records.
Carrefour-linked RueDuCommerce database leak surfaced
On 2026-01-22, reports surfaced alleging exposure and sale of a rueducommerce.fr database tied to Carrefour. The listing claimed 2,167,681 user records containing names, email addresses, phone numbers, and physical addresses.
Republic user database was reportedly offered for sale
Republic was publicly linked on 2026-01-21 to an alleged dark web sale of a user database containing about 4,942,704 records. The exposed data was described as including names, email addresses, physical addresses, and phone numbers.
BuyLottoOnline breach was publicly reported
On 2026-01-21, a data breach involving buylottoonline.com was publicly reported, describing exposure of roughly 38,521 records. The report did not identify a threat actor or root cause.
YouHack historical breach was publicly reported
A security incident report published on 2026-01-21 disclosed the 2013 YouHack breach and the categories of exposed user data. The incident was treated as informational severity in current reporting.
BuyLottoOnline data reportedly exposed in late October 2025
Reports state BuyLottoOnline suffered a breach around 2025-10-29 that exposed about 38,521 records, primarily unique email addresses. No threat actor or root cause was publicly identified.
FAU breach reportedly exposed student data and source code
Reports claim Friedrich-Alexander-Universität Erlangen-Nürnberg was breached on 2025-09-25, leading to exposure of student data and internal source code. Specific data types and the technical cause were not confirmed.
YouHack breach exposed 107,358 forum user records
A historical breach of the YouHack forum reportedly occurred on 2013-05-29, exposing 107,358 records including usernames, email addresses, passwords, IP addresses, forum posts, and private messages. No threat actor was identified in the later reporting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Alleged Axtria & Salesfloor Data Leaks Surface on Dark Web
socradar.io
Open sourceDark web reports allege a breach or attack on republic.com | UpGuard
upguard.com
Open sourceDark web reports allege a breach or attack on BuyLottoOnline | UpGuard
upguard.com
Open sourceDark web reports allege a breach or attack on YouHack | UpGuard
upguard.com
Open sourceDark web reports allege a breach or attack on rueducommerce.fr | UpGuard
upguard.com
Open sourceDark web reports allege a breach or attack on Salesfloor | UpGuard
upguard.com
Open sourceDark web reports allege a breach or attack on Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) | UpGuard
upguard.com
Open sourceDark web reports allege a breach or attack on dunzo.com | UpGuard
upguard.com
Open sourceDark web reports allege a breach or attack on Menulux | UpGuard
upguard.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dark Web Leak Claims Target Colis Privé and Multiple Online Services
Dark web monitoring reports described **unverified data leak claims** involving several organizations, including French parcel delivery firm **Colis Privé**. One post on **BreachForums** allegedly offered an upload of **22,564,381 records** attributed to Colis Privé, described as `.jsonl` files totaling **~4.1 GB**; no specific threat actor attribution or company confirmation was cited, and the notice characterized the situation as informational while scope is assessed. If authentic, the scale and format of the dataset would materially increase risk of **identity theft, credential stuffing, and targeted phishing** against customers. Separate dark web forum posts also alleged database exposures affecting **JobsGO** (Vietnam recruitment platform), **MyVete** (veterinary management platform), **PIXPAY** (Senegalese payment service), and **Groupe Fondasol** (France-based engineering). The claimed datasets reportedly include **CV/personal records**, and in some cases **API credentials and employee metadata**, with example figures including **~2.3 million records** for JobsGO and **~5.57 million records** for MyVete (verification not indicated). Across the claims, the primary business risk is downstream abuse of exposed personal and operational data for **social engineering, recruitment fraud, and account takeover**, rather than immediate exploitation of a specific software vulnerability.
Mar 21, 2026
Multiple Actively Exploited Vulnerabilities and Social-Engineering Breaches Reported Across Zoom, SmarterMail, Vite, and Appsmith
Several vendors and security trackers reported **high-impact vulnerabilities** with exploitation risk, alongside separate **social-engineering-driven breaches**. Zoom disclosed a **command injection** issue in Zoom Node Multimedia Routers (MMRs) used in certain hybrid meeting environments, tracked as **CVE-2026-22844** (reported with a high technical severity), which could allow meeting participants to execute arbitrary code; administrators were advised to update to *Zoom* version **5.2.1716.0**. SmarterTools reported a critical **authentication bypass** in *SmarterMail* (**CVE-2026-23760**) that could allow unauthenticated attackers to reset admin passwords via the `force-reset-password` API endpoint and potentially reach OS command execution and full remote code execution; mitigations included upgrading to **Build 9511**, resetting admin passwords, and enabling MFA. Separately, *Vite* was reported as affected by an **improper access control** flaw (**CVE-2025-31125**) enabling exposure of sensitive files by bypassing `server.fs.deny` protections using crafted query parameters (e.g., `?inline&import` or `?raw&import`); the issue was noted as being exploited in the wild and added to the **CISA Known Exploited Vulnerabilities** catalog. SC Media also reported active exploitation of an *Appsmith* **authentication flaw** (**CVE-2026-22794**) tied to the password reset flow, enabling account takeover by leaking reset tokens; defenders were urged to upgrade to **Appsmith 1.93**, which tightens Origin header validation and trusted base URL enforcement. In parallel to these vulnerability-driven risks, the Canadian Investment Regulatory Organization (**CIRO**) disclosed a **phishing-led breach** affecting ~**750,000** investors with exposure of highly sensitive identifiers (including social insurance numbers and investment information), while Betterment confirmed **unauthorized access via social engineering** that exposed customer contact/identity data and was used to send fraudulent cryptocurrency-scam notifications to users.
Mar 21, 2026
Multiple Unrelated Cybersecurity Reports: Iranian Spear-Phishing, Alleged Mexican Government Data Leak, and Lazarus ‘Contagious Interview’ Findings
The provided items do not describe a single cohesive cybersecurity event; they cover **separate incidents and research**. Dark Reading reported an **Iran-linked credential theft and surveillance effort** targeting people of interest abroad (including Iranian expats and regional targets) using **spear-phishing and social engineering**, including lures delivered via **WhatsApp** and phishing infrastructure that was rapidly stood up and taken down as campaigns shifted targets. Separately, Dark Reading covered allegations that the **Chronus Group** leaked **2.3TB** of data purportedly sourced from **25+ Mexican government institutions**, claiming exposure affecting **36 million** people; Mexico’s **ATDT** disputed that it represented a new breach, stating it appeared to be **aggregated data from prior incidents** and that impacted systems were largely **obsolete, third-party administered** state-level platforms. In parallel, Red Asgard published new technical findings on the **Lazarus-linked “Contagious Interview”** activity targeting **developers/freelancers** via fake recruiting, reporting recovery of **241,764 plaintext credentials** from unauthenticated endpoints, identification of an **AnyDesk-based RAT** with persistent remote access and hardcoded attacker credentials, and additional detection content (e.g., **YARA** and **Snort** rules).
Mar 21, 2026