France
Travel
French Tour Operator Pachatours Allegedly Breached, Passport, Payment and Credential Data Exposed
A threat actor using the alias misere, crediting collaborators (ChimeraZ and NightBroker), has posted what they describe as a complete database breach of Pachatours (pachatours.fr / pachatours.pro), a French tour operator specializing in Hajj packages and Tunisian beach holidays. The actor claims to have extracted the full database (about 2GB, more than 2.2 million rows) by exploiting an unauthenticated, unprotected web endpoint vulnerable to SQL injection. Per the post, the data covers 31,087 unique individuals and includes plaintext passport numbers, airline booking (PNR) codes, B2B travel-agency logins with cleartext passwords, payment transactions (VISA/CB), email-system credentials, and hundreds of thousands of accounting entries, alongside the company's full product and pricing catalogue. The dataset's authenticity and scope are unverified.
France▣Post details
France!Allegedly included
- 31,087 unique individuals
- Plaintext passport numbers
- Airline PNR booking codes
- B2B logins (cleartext passwords)
- Payment transactions (VISA/CB)
- Email-system credentials
- 349,000+ accounting entries
- Full voyage & pricing catalogue
◱Screenshot(s)
⚠Potential impact
This is a critical breach because it combines high-sensitivity identity, financial, and credential data with a full database compromise. The exposure reportedly includes plaintext passport numbers and airline booking codes, which enable identity theft and travel-related fraud, as well as payment-card transaction data. Most damaging from a security standpoint, the post claims B2B travel-agency logins were stored as cleartext passwords and that the company's email-sending credentials were exposed, which would let attackers impersonate the company, send convincing phishing to its agency partners, and pivot deeper into connected systems. With cleartext credentials and exposed mail infrastructure, the risk of follow-on business-email-compromise and account takeover is high. To avoid aiding further attacks, this report does not reproduce the specific systems, credentials, addresses, passport numbers, booking codes, or exploitation steps described in the post. Affected individuals face passport-fraud and phishing risk; the company should treat all exposed credentials as compromised and rotate them immediately. The authenticity and scope are unverified.
iStatus
UnverifiedThe actor published a technical intrusion write-up, data samples, and a points-gated download; none of the exploitation specifics, server details, credentials, passport numbers, sample records, or download details are reproduced here. This post credits the same alias (ChimeraZ) seen in other recent European leaks. The claim has not been independently confirmed and Pachatours has not publicly addressed it. Given the exposed credentials and email infrastructure described, the company should rotate all credentials and review its public-facing systems urgently.
DARK WEB INFORMER - THREAT INTELLIGENCE
