Executive Summary

On December 3, 2025, Leroy Merlin, a leading French home improvement and gardening retailer, disclosed a data breach affecting its customers in France. The breach resulted in the exposure of personal information, including full names, phone numbers, email addresses, postal addresses, dates of birth, and loyalty program-related data. No financial information or account passwords were compromised. The company responded by blocking unauthorized access, notifying affected customers, and providing guidance on identifying phishing attempts. There is no evidence at this time that the stolen data has been misused, leaked online, or leveraged for extortion. No ransomware or extortion group has claimed responsibility for the incident. This report provides a comprehensive technical analysis of the breach, sector context, and actionable recommendations for organizations and customers. All information in this summary is directly sourced from the official customer notification, technical press confirmation, and sector-specific security analysis as referenced below.

Technical Information

The data breach at Leroy Merlin was publicly disclosed on December 3, 2025, following a cyberattack that targeted the company’s information systems. The breach specifically impacted customers in France and resulted in the exposure of several categories of personally identifiable information (PII): full name, phone number, email address, postal address, date of birth, and loyalty program-related information. The company has confirmed that no banking data or online account passwords were included in the compromised dataset, which significantly reduces the risk of direct financial fraud but increases the risk of phishing and social engineering attacks. The notification to customers emphasized vigilance against unsolicited communications and provided advice on identifying phishing attempts that may impersonate the Leroy Merlin brand.

The technical details of the attack remain undisclosed. Neither the official notification nor independent press coverage has specified the attack vector, malware, or tools used. No technical indicators such as malware hashes, command-and-control infrastructure, or exploit details have been published by Leroy Merlin or third-party researchers. Sector threat intelligence reports from late 2025 highlight a surge in unauthorized FTP access sales targeting French e-commerce platforms, particularly those using Magento and integrations like Mirakl (a platform used by Leroy Merlin), which are common vectors for Magecart-style digital skimming attacks. However, there is no direct evidence linking these tactics, techniques, and procedures (TTPs) to the Leroy Merlin breach.

A recent vulnerability in a WordPress plugin (CVE-2025-11379) affecting French e-commerce platforms has also been noted in sector reports, but again, there is no direct connection to Leroy Merlin. The lack of technical artifacts or forensic details limits the ability to attribute the breach to a specific threat actor, malware family, or TTP.

Sector context indicates that French retail and e-commerce organizations, especially those with large customer databases and loyalty programs, are high-value targets for data theft and fraud. Attackers in this sector frequently exploit web application vulnerabilities, weak credentials, or third-party integrations. The breach at Leroy Merlin underscores the risks associated with storing extensive personal data for loyalty programs, which can be leveraged for targeted phishing and social engineering campaigns.

Mapping the incident to the MITRE ATT&CK framework, the most relevant techniques based on sector context (though not confirmed for this incident) include Initial Access via Valid Accounts (T1078) or Exploit Public-Facing Application (T1190), Persistence through Web Shells (T1505.003), Collection of Data from Information Repositories (T1213), Exfiltration Over Web Service (T1567.002), and Impact through Data Manipulation (T1565). These mappings are based on common sector TTPs and not on direct evidence from the Leroy Merlin breach.

No threat actor or group has claimed responsibility for the breach, and there is no evidence of ransomware, extortion, or advanced persistent threat (APT) activity. The incident appears consistent with sector-wide targeting of French retail and e-commerce organizations for data theft, but attribution confidence remains low due to the absence of technical evidence or public claims.

Affected Versions & Timeline

The breach affects only customers of Leroy Merlin in France. The company operates in multiple European countries, South Africa, and Brazil, but the incident is currently limited to the French market. The notification was published on December 3, 2025, and confirmed as genuine by technical press sources. The exact timeline of the attack, including initial compromise, data exfiltration, and detection, has not been disclosed by Leroy Merlin.

The exposed data includes full name, phone number, email address, postal address, date of birth, and loyalty program-related information. No financial data or account passwords were compromised. The company’s notification states that, upon detection of the incident, all necessary measures were taken to block unauthorized access and contain the breach. There is no evidence that the stolen information has been used maliciously, leaked online, or leveraged for extortion as of the date of this report.

No official enforcement action or sanction by the CNIL (French data protection authority) specific to this incident has been reported. General CNIL breach notification statistics and enforcement actions for 2024 are available for sector context.

Threat Activity

The threat activity associated with the Leroy Merlin breach remains largely uncharacterized due to the lack of published technical details. No specific malware, webshells, or digital skimmers have been identified in connection with the incident. Sector intelligence reports indicate that French e-commerce and retail organizations have been targeted by financially motivated cybercriminals, including Magecart groups and access brokers selling FTP/SSH credentials. The use of third-party platforms such as Mirakl and the prevalence of web application vulnerabilities in the sector increase the risk profile for organizations like Leroy Merlin.

In 2025, there has been a documented increase in unauthorized FTP access sales and exploitation of web application vulnerabilities in the French retail sector. However, there is no direct evidence linking these activities to the Leroy Merlin breach. No ransomware or extortion group has claimed responsibility, and there is no indication of APT involvement.

The primary risk to affected customers is the potential for phishing and social engineering attacks leveraging the exposed personal data. The company has advised customers to remain vigilant for unsolicited communications and to report any anomalies in account activity or issues with loyalty program redemption.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations in the retail and e-commerce sector should immediately review and strengthen credential hygiene, including enforcing strong password policies, implementing multi-factor authentication (MFA), and monitoring for unauthorized access to FTP, SSH, and web administration interfaces. Web application security should be prioritized, with regular vulnerability scanning, prompt patching of known vulnerabilities (including third-party plugins and integrations), and continuous monitoring for signs of exploitation or data exfiltration.

High: Customer data storage practices should be reviewed to minimize the retention of sensitive personal information, especially for loyalty programs. Data access should be restricted to the minimum necessary personnel, and robust logging and alerting should be implemented to detect unauthorized access or anomalous data activity.

Medium: Organizations should provide clear guidance to customers on identifying phishing and social engineering attempts, including examples of common tactics used to impersonate brands. Incident response plans should be updated to include procedures for rapid customer notification and support in the event of a data breach.

Low: Regular security awareness training should be conducted for employees, with a focus on recognizing phishing attempts, social engineering, and the importance of reporting suspicious activity. Third-party risk management processes should be strengthened to assess the security posture of vendors and partners with access to customer data.

Customers affected by the Leroy Merlin breach are advised to remain vigilant for unsolicited communications, verify the authenticity of messages purporting to be from Leroy Merlin, and report any suspicious activity or issues with loyalty program redemption to the company directly.

References

https://www.bleepingcomputer.com/news/security/french-diy-retail-giant-leroy-merlin-discloses-a-data-breach/ https://www.cnil.fr/en/annual-report-2024 https://www.cnil.fr/en/investigation-powers-cnil/sanctions-issued-cnil https://hadrian.io/case-study/leroy-merlin https://www.brinztech.com/breach-alerts/brinztech-alert-unauthorized-ftp-access-sale-detected-for-a-french-shop/ https://radar.offseq.com/threat/cve-2025-11379-cwe-200-exposure-of-sensitive-infor-39e3c0ca https://attack.mitre.org/techniques/T1078/ https://attack.mitre.org/techniques/T1190/ https://attack.mitre.org/techniques/T1213/ https://attack.mitre.org/techniques/T1567/002/ https://attack.mitre.org/techniques/T1565/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their vendors and partners. Our platform enables continuous visibility into third-party security posture, supports rapid incident response, and facilitates compliance with regulatory requirements. For questions about this report or to discuss how our capabilities can support your organization’s risk management needs, please contact us at ops@rescana.com.