Alleged Breach of Smarteez Exposes Full Production Database for L'Oreal Morocco Including 296 Pharmacies, 361K Sales Records, OAuth Secrets, and Competitive Intelligence Across Four L'Oreal Brands

Summary

A threat actor named xNov has leaked the complete production database of Smarteez, a Moroccan digital platform operated exclusively for L'Oreal Morocco. The breach exposes over 361,000 sales records, 296 pharmacy locations with GPS coordinates, 26 user accounts, 22 OAuth2 client secrets in plaintext, product catalogs, and over 1 million competitive intelligence files spanning mid-2023 to early 2026. The compromised data also includes admin audit trails, Django session records, and system configuration details including an Android APK download URL.

Full text

Dark Web Informer - Cyber Threat Intelligence Alleged Breach of Smarteez Exposes Full Production Database for L'Oreal Morocco Including 296 Pharmacies, 361K Sales Records, OAuth Secrets, and Competitive Intelligence Across Four L'Oreal Brands April 1, 2026 - 1:19:41 AM UTC Morocco Cosmetics / Pharmaceutical Retail Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-04-01 01:19:41 UTC Threat Actor xNov Victim Smarteez / L'Oreal Morocco Industry Cosmetics / Pharmaceutical Retail Category Data Breach Brands Affected La Roche-Posay, Vichy, CeraVe, Dercos Pharmacies 296 Sales Records 361,000+ Data Range Mid-2023 to Early 2026 User Accounts 26 (PBKDF2) Price Free (Public Leak) Country Morocco Incident Overview A threat actor going by xNov has leaked the complete production database of Smarteez, a Moroccan digital factory based in Casablanca that was developed and operated exclusively for L'Oreal Morocco. Smarteez also serves other major enterprise clients including Total Maroc, SAHAM Assurance, and Carglass. The exposed data covers four L'Oreal brands active on the platform: La Roche-Posay, Vichy, CeraVe, and Dercos, spanning from mid-2023 through early 2026. The breach is comprehensive and covers the platform's entire operational footprint across multiple data categories: User Accounts: 26 accounts including two platform superusers, one L'Oreal staff administrator, and approximately 20 field representatives deployed across Morocco in Casablanca, Rabat, Marrakech, Meknes, Fes, Kenitra, and Tanger. All passwords stored as PBKDF2 hashes. Pharmacy Network: 296 pharmacies across Morocco, each recorded with full name, physical address, GPS coordinates, city, sales territory, and client reference codes, organized into 8 regional sectors with named territory managers. Sales Data: Over 361,000 fully denormalized analytics records, 10,000 raw sales transactions, 10,000 purchase orders, and 10,000 no-purchase contact visits. The sample SQL data shows individual transaction-level detail including product names, barcodes, pricing, brand, pharmacy name, representative name, and timestamps. Product Catalog: 2,495 references across 49 brand lines with barcodes, pricing, and article codes. Competitive Intelligence: Over 1 million merchandising visit records and over 1 million competitive intelligence media files, representing L'Oreal Morocco's field intelligence on competitor shelf positioning and retail presence. Authentication Layer: 22 OAuth2 applications with their client IDs and 128-character client secrets stored in plaintext, alongside 519 Django session records. Admin Audit Trail: Full admin action log of 4,504 entries detailing every change made to the platform with timestamps and usernames. System Configuration: The configuration table leaked the live Android APK download URL and current version identifier. Reporting Layer: Aggregated KPI views per pharmacy, monthly and yearly sales comparisons across 2023 to 2025, and user activity data from a connected secondary database. This breach exposes L'Oreal Morocco's complete sales operation infrastructure, field intelligence apparatus, pharmacy distribution network, and product pricing strategy across the country. Compromised Data Categories Pharmacy Network (296 Locations) GPS Coordinates Sales Analytics (361K Records) Purchase Orders Product Catalog & Pricing Competitive Intelligence Media Field Representative Details Territory Manager Assignments OAuth2 Plaintext Client Secrets PBKDF2 Hashed Passwords Django Session Records Admin Action Logs Android APK Download URL KPI Reporting & Sales Comparisons Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1190 Exploit Public-Facing Application Targets vulnerabilities in the Smarteez web platform to gain unauthorized access to the complete L'Oreal Morocco production database and application infrastructure. T1213 Data from Information Repositories Extracts the entire production database including sales analytics, pharmacy records, product catalogs, purchase orders, and competitive intelligence data spanning nearly three years. T1552.001 Credentials In Files Exposed 22 OAuth2 applications with 128-character client secrets stored in plaintext, along with Django session records and PBKDF2 hashed user passwords. T1005 Data from Local System Collected system configuration data including the live Android APK download URL, version identifiers, and API call logs with endpoint details and response data. T1119 Automated Collection Over 1 million competitive intelligence media files and merchandising visit records were collected, representing L'Oreal Morocco's systematic field intelligence on competitor retail positioning. T1567 Exfiltration Over Web Service Published the complete production database as a password-protected free download on web forums with a publicly shared password and Telegram channel link. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Indicators of Compromise

• malware — xNov
• mitre_attack — T1190
• mitre_attack — T1213
• mitre_attack — T1552.001
• mitre_attack — T1005
• mitre_attack — T1119
• mitre_attack — T1567