Ledil Immobilier (ledil.immo) Database Breached: Threat Actor 888 Leaks 6,700 French Real Estate User Records
A threat actor operating under the alias 888 has released the complete database of Ledil Immobilier (ledil.immo), a French real estate mandataire network founded in Agen in 2012 with more than 2,000 listed properties. The listing on darkforums.su claims the breach occurred in April 2026 and exposes 6,700 unique user records covering acquéreurs (buyers), mandataires (agents), notaires, and property intervenants. The archive is offered as a free download to registered forum members.
A full database dump of a French real estate network with 6,700 unique user records, including names, emails, phone numbers, addresses, property transaction data, and professional identifiers for notaires and mandataires. Distributed as a free download on darkforums.su, maximising exposure. High risk of targeted fraud against buyers, sellers, and agents.
Incident Summary
Incident Overview
A threat actor going by 888 has posted the full database of Ledil Immobilier (ledil.immo) on a popular cybercrime forum. Ledil Immobilier is a French real estate mandataire network founded in 2012 by Katia and Laurent Baron in Agen (Lot-et-Garonne, Nouvelle-Aquitaine) and operating nationally with more than 2,000 property listings across houses, apartments, land, and investments. The actor describes the company as "a pioneering network of free real estate agents" and states the breach occurred in April 2026.
According to the listing, the dataset contains 6,700 unique user records. The exposed schema visible in the compromised-data list and sample rows is consistent with a full export from Ledil's internal business tool, which appears to run on Drupal with the Search API (fields include search_api_solr, drupal_X2f_langcode, and entity:acquereur references). The data categories exposed include:
- Acquéreur (Buyer) RecordsFull names, email addresses, telephone numbers, addresses, nationalities, and search criteria tied to individual prospective buyers registered in Ledil's CRM.
- Mandataire & Agent DataAgent user IDs, names, emails, and telephone numbers for Ledil's network of mandataires, along with sector assignments and postal codes of their working zones.
- Notaire & Intervenant DetailsIdentifiers for notaires and other transaction intervenants, with linkages to specific property files and mandates.
- Property (Bien) RecordsProperty prices, descriptions, locations (commune, département), surface areas, legal statuses, number of rooms, energy categories, commercial status, and offer-type metadata.
- Transaction MetadataHonoraires (agent fees), mandate document numbers, boost and highlight flags, creation and update timestamps, message logs, and internal statuses for each listing.
The sample rows published by the actor include real French email addresses across commonly-used domains (wanadoo.fr, hotmail.fr, and corporate addresses such as amann-kaffee.at), first names, and Drupal entity URLs pointing to enterprise1.ledil.immo, suggesting the leak originates from an internal staging or production instance of Ledil's mandataire platform rather than from a public website. Transaction timestamps in the visible sample cluster around late 2025, consistent with the claimed April 2026 breach date. The fact that the dataset is being distributed at no cost, only gated behind basic forum registration, maximises exposure and makes retroactive containment impractical.
Compromised Data Categories
Screenshots
%20Database%20Breached%3A%20Threat%20Actor%20888%20Leaks%206%2C700%20French%20Real%20Estate%20User%20Records){kind=link}