Leroy Merlin’s French division has notified customers of a cyberattack that resulted in the exposure of part of its customer database. While the incident reportedly affects only users registered in France and did not compromise banking data or account passwords, it still creates a favourable environment for targeted phishing and social engineering attacks.
Leroy Merlin France Confirms Cyberattack and Data Leak
Information about the breach surfaced publicly after a user under the alias SaxX_ shared screenshots of Leroy Merlin’s notification email on the social network X (formerly Twitter). In this message, the retailer explains that its information system was the target of a cyberattack, potentially allowing unauthorised third parties to access certain customer data.
According to the company, once suspicious activity was detected, Leroy Merlin activated its internal incident response procedures. Attacker access was blocked and affected systems were isolated to contain the intrusion and prevent further lateral movement within the network. This type of rapid containment is now considered best practice in retail cyber security, where extensive IT infrastructures and numerous customer touchpoints increase the attack surface.
The retailer states that a technical and legal investigation is ongoing, in cooperation with relevant authorities and external cybersecurity experts. Such collaboration is standard in the European Union, where data protection authorities and specialised cyber units often assist in analysing breaches and assessing regulatory obligations under frameworks such as the GDPR.
What Customer Data Was Exposed in the Leroy Merlin Breach?
Leroy Merlin reports that the breach involved a portion of customers’ personal data. While the company has not publicly disclosed the full data schema, typical retail customer records may include name, contact details, postal address, and information related to orders or loyalty programmes.
At the same time, the retailer emphasises two critical points for affected customers:
1. Banking and payment data were not compromised. Leroy Merlin indicates that card numbers, bank account details, and other payment information are stored and processed in a separate, more tightly segmented environment. Network and data segmentation are core security controls that limit the impact of intrusions by preventing attackers from easily pivoting into payment systems.
2. Account passwords were not exposed. Current findings suggest that attackers did not obtain password hashes or direct access to customer accounts. However, even without passwords, personal data can still be misused to orchestrate convincing fraud attempts.
The company notes that, at the time of notification, no malicious use of the stolen information had been detected. In many recent incidents, however, there can be a delay of weeks or months before data appears on underground forums or is used in targeted scams, so customers should not interpret this as an all-clear.
Key Cyber Risks: Phishing and Social Engineering After Retail Breaches
Even when financial data and passwords are not leaked, partial exposure of personal information significantly increases the risk of phishing and social engineering. With a victim’s name, email, phone number, and knowledge of their relationship with a brand, attackers can craft messages that look highly authentic.
Industry reports such as Verizon’s annual Data Breach Investigations Report consistently show phishing as one of the most common initial attack vectors. Likewise, IBM’s Cost of a Data Breach studies highlight that exposed customer personal data is among the most expensive types of information for organisations to lose, largely due to fraud remediation and loss of trust.
In the context of Leroy Merlin, attackers could impersonate customer support, logistics, or loyalty programme staff to trick victims into revealing one-time passwords, full card details, or login credentials. Messages might reference real or plausible orders, refunds, or bonus activations to appear legitimate.
How to Spot Phishing Messages Posing as Leroy Merlin
Leroy Merlin advises customers to stay vigilant and treat unexpected communications with caution. Users should be particularly wary if:
— The message creates artificial urgency. Examples include threats that an account will be blocked, an order cancelled, or loyalty points will expire unless the user clicks a link or provides information immediately. Urgency is a classic social engineering technique designed to bypass rational thinking.
— The sender’s address or domain looks slightly off. Fraudsters often register look‑alike domains that differ from the official one by a single character, an extra digit, or a different top‑level domain. On mobile devices, where sender details can be truncated, this is especially hard to spot.
— The email or SMS requests confidential data. Legitimate companies do not ask for full payment card details, CVV codes, passwords, or one‑time authentication codes via email, SMS, or messaging apps. Any such request should be treated as a red flag.
The safest approach is to avoid clicking on links in unsolicited messages. Instead, customers should manually type the official Leroy Merlin website address into their browser or use the official mobile app to verify any notifications or account issues.
Recommended Security Measures for Leroy Merlin Customers
To reduce the risk of fraud following the breach, security best practices include:
— Monitor account and order activity. Customers should regularly check recent orders, saved addresses, and profile changes. Any unfamiliar login notifications, profile edits, or orders should be reported immediately to Leroy Merlin’s support team.
— Keep an eye on loyalty points and rewards. Unauthorised earning or redemption of loyalty points can indicate that someone is attempting to exploit partial account access or impersonate the customer.
— Report suspicious emails, SMS, and calls. Forwarding suspicious messages to the company’s official support channels helps security teams identify new phishing campaigns early and notify other customers more quickly.
— Strengthen general account security. Where available, enabling multi‑factor authentication (MFA), using unique, complex passwords for each online service, and regularly reviewing security settings reduce the impact of future breaches, whether at Leroy Merlin or elsewhere.
The incident at Leroy Merlin France underscores a broader trend: retailers remain high‑value targets for cybercriminals due to the combination of large customer databases and extensive digital services. Even when payment systems and passwords are adequately protected, leaked personal data can fuel long‑term phishing, identity fraud, and erosion of customer trust. By combining robust corporate security measures with informed, cautious user behaviour, organisations and their customers can significantly reduce the likelihood that a data breach will turn into direct financial or reputational damage.
