French email provider's exposed database leaked 40M records from L'Oreal, Renault, government

Which executives talk to which suppliers reveals sensitive business intentions
The leaked communication patterns exposed more than email addresses—they revealed organizational relationships that could expose strategic plans.

Somewhere between the promise of digital security and its practice, a French email infrastructure company left 40 million records open to the world — records belonging not just to corporations like L'Oreal and Renault, but to the embassies and agencies of the French state. Alinto, a provider whose purpose is to protect the flow of communication, had left an unsecured database exposed on the open internet for an unknown period of time. The breach is a quiet but consequential reminder that the guardians of our digital correspondence are themselves vulnerable to the oldest of failures: an unlocked door.

  • An unsecured Elasticsearch cluster at Alinto sat exposed on the open internet, leaking 40 million SMTP records — including the email traffic of major corporations and French government embassies — to anyone who knew where to look.
  • The exposed data goes far beyond simple email addresses: timestamps, relay IPs, and sender-recipient pairings create behavioral maps that attackers can exploit to craft eerily convincing impersonation campaigns.
  • At least 14,000 unique government email addresses were among the 4.5 million exposed, raising national security concerns about the visibility of diplomatic and administrative communication patterns.
  • Cybernews researchers discovered the breach in early April and alerted Alinto, which moved quickly to secure the cluster — but the window of exposure remains unknown, and whether malicious actors got there first is an open question.
  • Affected organizations now face a heightened threat landscape: more targeted phishing, sophisticated social engineering, and the unsettling possibility that their internal relationship networks have already been mapped by unknown parties.

A French email security company left one of its core databases exposed on the open internet for an unknown length of time, leaking the communication records of millions of people and some of Europe's most prominent institutions. Alinto, which provides email delivery and security services to businesses and government agencies across France, had failed to secure an Elasticsearch cluster containing 40 million SMTP records — the technical logs that trace every email through the system, including sender and recipient addresses, timestamps, location data, and relay server IPs.

Security researchers at Cybernews discovered the exposed database in early April and notified Alinto, which secured it promptly. But the records had already been sitting in the open. Among the 4.5 million unique email addresses exposed were those belonging to L'Oreal, Renault, and DHL — and more troublingly, at least 14,000 addresses tied to French government agencies, municipalities, and embassies around the world.

The real danger, security experts note, is not the email addresses themselves but what surrounds them. Knowing who communicates with whom, and when, allows attackers to build relationship maps and behavioral profiles — the raw material for impersonation attacks timed to feel entirely routine. The exposed infrastructure also included Alinto's own Cleanmail.eu relay service, meaning the company's email security product had become a window into the very communications it was built to protect.

What no one can answer is how long the database was accessible or whether malicious actors found it before the researchers did. For the affected organizations, that uncertainty may be the most corrosive part of the breach — leaving them to navigate a future of elevated phishing risk and the possibility that their internal networks are already known to someone, somewhere, they never intended to reach.

A French email infrastructure company left one of its core databases sitting openly on the internet for an unknown length of time, exposing the email records of millions of people and some of Europe's largest corporations. Alinto, which provides email security and delivery services to businesses and government agencies across France, had failed to secure an Elasticsearch cluster—a type of database commonly used for searching and analyzing large volumes of data. The cluster contained 40 million SMTP records, the technical logs that track every email sent through the system, complete with sender addresses, recipient addresses, timestamps, location information, and the IP addresses of the relay servers handling the traffic.

Security researchers at Cybernews discovered the exposed database in early April and immediately notified Alinto, which secured it. But by then, the damage was already done. The leaked records included at least 4.5 million unique email addresses. Among the organizations affected were L'Oreal, the cosmetics giant; Renault, France's largest automaker; and DHL, the logistics company. More concerning to French national security, the database also contained email addresses belonging to numerous government agencies, municipalities, and French embassies around the world—at least 14,000 unique government email addresses in total.

On the surface, a list of email addresses might seem like a minor exposure. But security experts understand the real danger. When you know which email addresses communicate with each other, and you know the times those communications happen, you gain insight into behavioral patterns. An attacker can use that information to craft convincing impersonation attacks, sending a fraudulent email from someone you regularly correspond with, at a time when you would normally expect to hear from them. The leaked data also reveals relationship maps—which executives talk to which suppliers, which government officials coordinate with which agencies. Those maps can expose sensitive business intentions before they become public, like the timing of a product launch or a strategic partnership.

The exposed cluster also hosted an SMTP server running under the domain Cleanmail.eu, which is Alinto's email security relay solution. This means the company's own infrastructure for protecting email security had become a window into the communications it was supposed to protect. For organizations relying on Alinto to keep their email systems running and secure, the irony was stark.

What remains unknown is whether any malicious actors discovered and accessed the database before Cybernews found it. The researchers have no way of knowing how long the cluster was exposed or who else might have downloaded the data. For the affected companies and government agencies, that uncertainty is perhaps the most troubling part. They now face a future of increased spam targeting their employees, more sophisticated phishing attacks, and the possibility that someone, somewhere, has a detailed map of their internal communications and organizational relationships. The breach serves as a reminder that even companies whose entire business is built around email security can fail at the most basic requirement of their own infrastructure: keeping their data locked down.

Having information about which addresses communicate between each other, and at what times, reveals behavioral data which can help with further attacks—impersonating a person you commonly communicate with, sending communications as expected when they are expected.
— Cybernews security research team
The Hearth Conversation Another angle on the story
Inventor

Why does a list of email addresses matter so much? People's email addresses are already semi-public.

Model

Because it's not just the addresses—it's the metadata around them. You know who talks to whom, when they talk, and from where. That's behavioral intelligence.

Inventor

So someone could impersonate a colleague and I'd be more likely to believe it?

Model

Exactly. If I know you email your supplier every Tuesday at 2 p.m., I can send you a fake email from them at 2 p.m. on a Tuesday. It fits the pattern you expect.

Inventor

And the government agencies—why is that particularly sensitive?

Model

Because you can map out which officials coordinate on what. You can infer policy decisions, strategic partnerships, even vulnerabilities in how agencies communicate with each other.

Inventor

Did Alinto know the database was exposed?

Model

No. Cybernews found it and told them. We don't know how long it was sitting there or if anyone else found it first.

Inventor

So the real damage might not be visible yet.

Model

Right. The spam and phishing attacks will come. But the relationship maps—those could be used for years.

Contact Us FAQ