Alleged Breach of Airsoft-Entrepot Exposes 333K Customer Records, Orders, Invoices, and B2B Data From French Retailer Spanning 2013 to 2026

Summary

A threat actor named HexDex is selling stolen data allegedly from Airsoft-Entrepot, a French e-commerce retailer, spanning 13 years of customer records, orders, invoices, supplier information, and B2B data. The breach encompasses 383K unique customer profiles, 328K email addresses, 243K phone numbers, and 333K full addresses, along with warehouse inventory, accounting, and delivery records across 10+ database files. The actor is distributing samples via dark web forums and encrypted messaging (qTox, Session) and is soliciting offers for the full dataset.

Full text

Dark Web Informer - Cyber Threat Intelligence Alleged Breach of Airsoft-Entrepot Exposes 333K Customer Records, Orders, Invoices, and B2B Data From French Retailer Spanning 2013 to 2026 March 23, 2026 - 4:03:43 AM UTC France Retail / E-Commerce Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-03-23 04:03:43 UTC Threat Actor HexDex Victim Airsoft-Entrepot Industry Retail / E-Commerce Category Data Breach Unique Customers 383K Unique Emails 328K Unique Phones 243K Data Range 2013 - 2026 Files 10+ Price Make Offer Country France Incident Overview A threat actor going by HexDex claims to be selling multiple databases from Airsoft-Entrepot, a French online retailer specializing in airsoft equipment, replicas, gear, and accessories. The company is known for competitive pricing, fast shipping, and a strong presence in the airsoft community. The listing covers data spanning from 2013 to 2026 across more than 10 separate database files. The actor is offering customer, order, invoice, supplier, delivery, accounting, and B2B order databases along with warehouse and inventory data. From the customer file alone, the actor provided the following breakdown: Unique Addresses: 333K full address records. Unique Customers: 383K individual customer profiles. Unique Phone Numbers: 243K phone numbers. Unique Emails: 328K email addresses. The breadth of the data goes well beyond just customer PII. The inclusion of supplier databases, B2B order records, accounting data, and warehouse inventory means this breach exposes the company's full operational backend: who they buy from, what they sell, what they stock, their financial records, and their entire customer and delivery history over 13 years. The actor provided proof links, sample data from the customer file, and a 1K line sample across all files. Pricing is by offer, with contact available via qTox or Session messaging. Compromised Data Categories Customer Records Full Addresses Email Addresses Phone Numbers Order History Invoice Data Supplier Information Delivery Records Accounting Data B2B Order Records Warehouse / Inventory Data Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1190 Exploit Public-Facing Application Targets vulnerabilities in the retailer's ecommerce platform to gain unauthorized access to backend databases containing customer, order, and business data. T1213 Data from Information Repositories Extracts structured data from ecommerce application databases, pulling customer profiles, order histories, invoices, supplier records, and accounting data across 10+ files. T1005 Data from Local System Collects data directly from the compromised system, extracting full database exports including warehouse inventory, delivery records, and B2B transaction history. T1589.002 Gather Victim Identity: Email Addresses Harvests 328K unique email addresses, 243K phone numbers, and 333K physical addresses from the customer database for resale and potential targeted attacks. T1530 Data from Cloud Storage Accesses cloud-hosted ecommerce databases and storage systems containing 13 years of operational data including supplier relationships and financial records. T1567 Exfiltration Over Web Service Uses web forums and encrypted messaging (qTox, Session) to advertise, distribute samples, and negotiate sales of the stolen retail databases. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Indicators of Compromise

• malware — HexDex
• mitre_attack — T1190
• mitre_attack — T1213
• mitre_attack — T1005
• mitre_attack — T1589.002
• mitre_attack — T1530
• mitre_attack — T1567