HexDex Lists Stolen Customer and Operational Data From French Retailers
Threat actor HexDex has claimed breaches at two French e-commerce companies and is offering the allegedly stolen data for sale. One listing targets Airsoft-Entrepot, where the actor says it obtained more than 10 database files covering 2013 to 2026, including roughly 383,000 customer profiles, 328,000 email addresses, 243,000 phone numbers, and 333,000 full address records. The exposed material reportedly goes beyond customer PII to include orders, invoices, supplier data, delivery history, accounting records, B2B orders, and warehouse or inventory information, suggesting compromise of both customer-facing and back-office systems.
A second listing targets Allopneus, a major French online tire retailer, with HexDex claiming to hold data spanning 2014 to 2026 for 453,299 customers across 739,316 records, including 513,089 phone numbers and 453,299 email addresses. The actor reportedly published proof links, sample records, and 1,000-line excerpts for both datasets while soliciting offers through underground channels. If authentic, the disclosures would expose large volumes of customer contact data and purchase-related information, while the Airsoft-Entrepot cache could also reveal sensitive supplier, financial, and logistics details that increase fraud, phishing, and business intelligence risks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
HexDex allegedly breaches Airsoft-Entrepot data spanning 2013–2026
HexDex claimed to be selling multiple stolen databases from French retailer Airsoft-Entrepot, allegedly exposing extensive customer, order, invoice, supplier, delivery, accounting, B2B, and inventory records. The listing said the customer dataset included 383,000 unique customer profiles, 328,000 email addresses, 243,000 phone numbers, and 333,000 full address records.
HexDex allegedly breaches Allopneus customer data spanning 2014–2026
Threat actor HexDex claimed to have stolen a large dataset from French online tire retailer Allopneus, allegedly containing 453,299 unique customers and 739,316 total records. The exposed data reportedly included customer contact details and likely related delivery, vehicle, and purchase or service history.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Alleged Breach of Allopneus Exposes 453K Customers and 739K Records From France's Leading Online Tire Retailer Spanning 2014 to 2026
darkwebinformer.com
Open sourceAlleged Breach of Airsoft-Entrepot Exposes 333K Customer Records, Orders, Invoices, and B2B Data From French Retailer Spanning 2013 to 2026
darkwebinformer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
French Police Arrest HexDex Over Wave of Data Breaches Across France
French authorities arrested a 20-year-old suspect known online as **HexDex** in western France over a broad hacking campaign that prosecutors say is tied to about 100 breach reports filed since late 2025. Investigators said the suspect admitted using the HexDex alias to claim responsibility for intrusions and to publish or repost stolen data on **BreachForum** and **Darkforum**. Police also seized the suspect’s Darkforum account and computer equipment, while forensic analysis and the wider investigation continue. The alleged victims span public institutions, sports federations, and private organizations across France, including multiple national sports bodies, **Logis Hôtels**, **Brit Hotel**, the **Philharmonie de Paris**, food banks, the **Moselle prefecture**, and **e-campus**, a training platform used by the national police. Prosecutors also linked the case to the French Ministry of National Education’s **Compas** database, where a March breach exposed personal data belonging to about **243,000 employees**, and said the suspect is also under scrutiny over a breach involving a government firearms information system. Authorities said a separate cyberattack on **France Titres** detected on April 15 is not currently being attributed to the suspect.
May 1, 2026
Dark Web Leak Claims Target Colis Privé and Multiple Online Services
Dark web monitoring reports described **unverified data leak claims** involving several organizations, including French parcel delivery firm **Colis Privé**. One post on **BreachForums** allegedly offered an upload of **22,564,381 records** attributed to Colis Privé, described as `.jsonl` files totaling **~4.1 GB**; no specific threat actor attribution or company confirmation was cited, and the notice characterized the situation as informational while scope is assessed. If authentic, the scale and format of the dataset would materially increase risk of **identity theft, credential stuffing, and targeted phishing** against customers. Separate dark web forum posts also alleged database exposures affecting **JobsGO** (Vietnam recruitment platform), **MyVete** (veterinary management platform), **PIXPAY** (Senegalese payment service), and **Groupe Fondasol** (France-based engineering). The claimed datasets reportedly include **CV/personal records**, and in some cases **API credentials and employee metadata**, with example figures including **~2.3 million records** for JobsGO and **~5.57 million records** for MyVete (verification not indicated). Across the claims, the primary business risk is downstream abuse of exposed personal and operational data for **social engineering, recruitment fraud, and account takeover**, rather than immediate exploitation of a specific software vulnerability.
Mar 21, 2026
Customer Data Exposed in LDLC and LuLu Retail Breaches
French retailer **LDLC** disclosed a breach affecting customers of its physical stores after stolen data was advertised for sale on a hacking forum. The exposed dataset reportedly included **1.26 million unique email addresses** along with customers' names, phone numbers, and physical addresses, indicating broad exposure of personally identifiable information tied to retail transactions. Emirati retailer **LuLu** also suffered a customer data breach in which an initial set of about **190,000 email addresses** and linked phone numbers was shared on a hacking forum. The incident escalated when the threat actor later leaked a larger backup from **October 2022**, exposing an additional **2.6 million unique email addresses** as well as names, physical addresses, order data, and **`PBKDF2` password hashes**, significantly increasing the risk of account compromise and follow-on phishing or fraud.
Mar 27, 2026