Customer Data Exposed in LDLC and LuLu Retail Breaches
French retailer LDLC disclosed a breach affecting customers of its physical stores after stolen data was advertised for sale on a hacking forum. The exposed dataset reportedly included 1.26 million unique email addresses along with customers' names, phone numbers, and physical addresses, indicating broad exposure of personally identifiable information tied to retail transactions.
Emirati retailer LuLu also suffered a customer data breach in which an initial set of about 190,000 email addresses and linked phone numbers was shared on a hacking forum. The incident escalated when the threat actor later leaked a larger backup from October 2022, exposing an additional 2.6 million unique email addresses as well as names, physical addresses, order data, and PBKDF2 password hashes, significantly increasing the risk of account compromise and follow-on phishing or fraud.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Threat actor leaks LuLu's full database backup
In the month following the initial LuLu breach, the threat actor released a backup from October 2022 after threatening to leak the full database. The larger leak contained an additional 2.6 million unique email addresses, along with names, physical addresses, order data, and PBKDF2 password hashes.
Stolen LuLu data shared on hacking forum
After the July 2024 breach, the initially exposed LuLu customer data was shared on a popular hacking forum. The shared data included roughly 190,000 email addresses and phone numbers.
LuLu suffers breach exposing customer contact data
In July 2024, Emirati retailer LuLu experienced a data breach that exposed customer contact information. The initially impacted data included about 190,000 email addresses and associated phone numbers.
LDLC discloses breach affecting physical-store customers
In March 2024, French retailer LDLC disclosed a data breach affecting customers of its physical stores. The compromised data reportedly included 1.26 million unique email addresses, names, phone numbers, and physical addresses.
LDLC customer data advertised for sale before disclosure
Before LDLC publicly disclosed its breach, stolen customer data from its physical stores was advertised for sale on a popular hacking forum. The exposed dataset reportedly included customer contact and address information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
French Telecom and Retail Breaches Expose Millions of Customer Records
French telecommunications provider **Bouygues Telecom** disclosed a cyberattack that led to the exposure of nearly **6.4 million customer records**, including **5.7 million unique email addresses**. The compromised data reportedly included names, physical addresses, phone numbers, dates of birth, and **IBANs**, raising concerns about fraud and financial abuse. The company said affected customers were notified after detecting the intrusion into its services. French electronics retailer **Boulanger** also suffered a major breach in which more than **27 million rows of data** were exposed, including **2 million unique email addresses**. The leaked information reportedly included names, physical addresses, phone numbers, and even **latitude and longitude** data. Unlike the Bouygues incident, the stolen Boulanger dataset was later posted publicly on a hacking forum, significantly increasing the likelihood of downstream misuse, phishing, and identity-related abuse.
Mar 27, 2026
HexDex Lists Stolen Customer and Operational Data From French Retailers
Threat actor **HexDex** has claimed breaches at two French e-commerce companies and is offering the allegedly stolen data for sale. One listing targets **Airsoft-Entrepot**, where the actor says it obtained more than 10 database files covering 2013 to 2026, including roughly **383,000 customer profiles**, **328,000 email addresses**, **243,000 phone numbers**, and **333,000 full address records**. The exposed material reportedly goes beyond customer PII to include **orders, invoices, supplier data, delivery history, accounting records, B2B orders, and warehouse or inventory information**, suggesting compromise of both customer-facing and back-office systems. A second listing targets **Allopneus**, a major French online tire retailer, with HexDex claiming to hold data spanning 2014 to 2026 for **453,299 customers** across **739,316 records**, including **513,089 phone numbers** and **453,299 email addresses**. The actor reportedly published proof links, sample records, and 1,000-line excerpts for both datasets while soliciting offers through underground channels. If authentic, the disclosures would expose large volumes of customer contact data and purchase-related information, while the Airsoft-Entrepot cache could also reveal sensitive supplier, financial, and logistics details that increase fraud, phishing, and business intelligence risks.
Mar 23, 2026
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
Mar 21, 2026