Cyber Incident Victim: Kiabi

On January 7, 2025, Kiabi's second-hand e-commerce platform experienced a credential stuffing attack that compromised approximately 20,000 customer accounts. The company's security teams detected unauthorized access attempts where cybercriminals leveraged credentials obtained from prior third-party data breaches to systematically test millions of login combinations. This automated attack methodology succeeded in breaching accounts where customers had reused identical credentials across multiple platforms. Attackers exfiltrated personal data including full names, dates of birth, residential addresses, and International Bank Account Numbers (IBAN) from the compromised accounts. Kiabi confirmed that more sensitive financial documentation—specifically RIB bank details and identity documents—remained secure as they were stored externally by payment processor Lemonway and not accessible through the customer portal.

Following detection, Kiabi implemented immediate containment measures including IBAN masking functionality across all customer accounts and a forced password reset for all users of the second-hand platform. The company enhanced its password security policy by increasing the minimum character requirement to 14. Forensic analysis indicated the attackers operated at scale, consistent with industry patterns where credential stuffing attacks achieve approximately 0.1% success rates according to Cloudflare data. This incident mirrored a November 2024 attack against retailer Picard that exposed 45,000 customer records through similar methods. Kiabi's parent company, Mulliez Family Holdings, publicly disclosed the breach scope while emphasizing that core retail operations and primary e-commerce systems remained unaffected. The compromised second-hand platform maintained separate infrastructure from Kiabi's main retail websites.