Sport 2000, the French sporting goods retailer, is tied to a 2024 customer loyalty database leak now indexed by leaksear.ch with 4,276,740 records (leaksear.ch metadata). Have I Been Pwned lists the incident as an April 2024 breach with 3.2 million affected accounts and says the exposed data included names, physical addresses, phone numbers, dates of birth, and purchases by store name (haveibeenpwned.com).
What happened
Clubic reported that Sport 2000 announced on its website that it had suffered a cyberattack on April 19, 2024, and that personal data for more than 4 million customers was suspected to be for sale on the dark web. The same report cited Zataz reporting that the data was obtained through an infostealer campaign, while describing attribution to the francophone Epsilon group as suspected rather than officially confirmed (www.clubic.com).
Have I Been Pwned says the Sport 2000 data was subsequently put up for sale on a hacking forum and included 4.4 million rows with 3.2 million unique email addresses (haveibeenpwned.com). CyberInsider reported that the database was advertised for sale in April 2024 and later reposted in June 2024, making the data more broadly accessible to malicious actors (cyberinsider.com).
What data was exposed
The leaksear.ch index contains searchable identity and contact pivots: names, email addresses, phone numbers, postal addresses, and dates of birth (leaksear.ch metadata). Additional non-search fields stored with records include loyalty card numbers, store names or IDs, first and last purchase dates, recent purchase totals and ticket counts, opt-in flags for email, SMS and postal mail, behavioral and RFM segmentation, points balances, credit amounts, wallet status, and contact-validity indicators (leaksear.ch metadata).
Public breach listings align with the core exposure categories. Have I Been Pwned lists dates of birth, email addresses, names, phone numbers, physical addresses, purchases, and salutations as compromised data, while CyberInsider also reported purchase details linked to specific Sport 2000 stores (haveibeenpwned.com, cyberinsider.com).
Why this matters
This is not just an email list. A record combining a person's name, date of birth, address, phone number, loyalty account context, store history, and purchase behavior can support convincing phishing, account-recovery scams, SIM-swap pretexts, and retail-themed fraud (leaksear.ch metadata). Security teams should watch for Sport 2000-themed lures, especially messages that reference store locations, loyalty points, refunds, or recent purchases. If you used Sport 2000's loyalty program or shopped in its stores, use the exposure check below to search the supported pivots before responding to unsolicited messages or calls.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, date of birth, email, name, and phone.