Cyber Incident Victim: Intersport
Date:
Mar 2025
Location:
France
Summary
Intersport disclosed a cyberattackthat exposed personal data of 3.4 million French customers, including names, first names, email addresses and postal addresses, while confirming that banking information and passwords were not compromised. The leaked data also contained purchase‑related details such as invoice numbers, PayPal references, transaction amounts, types of bank cards used and loyalty card numbers. The database appeared for sale on BreachForums at a price of around 1,000 dollars in cryptocurrency. According to security researchers, the attackers gained access through an FTP server and obtained a configuration file containing system passwords. The incident adds to a series of recent data breaches affecting French retailers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
On March15, 2025, Intersport issued a public statement announcing that it had been the victim of a cyberattack and that it was currently informing its customers of the intrusion. In the notice sent to its clientele, the company said it had observed a consultation of personal data that could lead to a loss of confidentiality of certain information. Intersport advised affected individuals to change their password on the intersport.fr website and to never share personal details such as identifiers, passwords, bank account numbers or card numbers. The retailer clarified that banking data and passwords had not been compromised in the breach. It also warned that customers might be targeted by phishing emails that appear to come from the brand.
According to the breach notification, the exfiltrated data included customers’ names, first names, email addresses and postal addresses. Samples later posted on BreachForums by the seller showed additional purchase‑related fields such as invoice number, PayPal reference number, amount paid, type of bank card used and loyalty card number. The seller claimed the database contained information on 3.4 million individuals and that the intrusion had occurred on March 15, 2025. The cybercriminal initially offered the directory for auction at a minimum price of 2,500 USD, later reducing the asking price to 1,000 USD payable in cryptocurrency and using the alias “placenta”. Researcher Clément Domingo noted that the attack likely relied on the purchase of fraudulent access, citing a December 2024 listing of an INTERSPORT system access for 700 USD. Zataz reported that the attackers had gained entry through an FTP server and had shared a configuration file containing all of Intersport’s server passwords, a file attributed to a hacking group previously linked to attacks on French telecom operators such as Free and SFR.
Intersport stated that it had taken all necessary measures to prevent a recurrence and to guarantee total confidentiality of customer information, without specifying whether the French data protection authority (CNIL) had been notified. The company placed the incident within a pattern of previous security events, referencing ransomware attacks that had affected it in 2022 and 2024 and noting that it had previously been targeted by gangs such as Hive and Hunters. The article also mentioned that other French retailers had experienced similar data leaks around the same time, citing AutoSur and Vitalis as examples, but did not provide further detail on those cases. The narrative ends with the observation that the breach added to a growing series of data‑theft incidents affecting French consumers.