When Leroy Merlin collapses, your WordPress could be next: the scary 2025 security report
Wednesday, December 4, 2025, 2:30 p.m. You receive an email from Leroy Merlin. Not a promotion on drills, but an acknowledgement of failure: « Your personal data has leaked. » Hundreds of thousands of customers in the same situation. The cause? A simple human error, exploited by an emerging cybercriminal group. Meanwhile, your WordPress site is running with outdated plugins, passwords shared by email, and never-before-seen admin access. HiveProtect.ai didn’t prevent the Leroy Merlin attack, but it prevents exactly this type of flaw on your platform. The question is no longer « if » you will be attacked, but « when ».
The year 2025: a black year for French cybersecurity
An unprecedented upsurge
The French cyber landscape has changed in 2025. The figures are relentless: the CNIL received 5,629 notifications of personal data breaches, an increase of 20% compared to 2023. Even more alarming, the number of attacks affecting more than a million people has doubled in one year. The ANSSI, for its part, handled 4,386 security events in 2024, 15% more than in 2023. Between November 2024 and September 2025, the growth in the number of computer attacks in France exceeds 50%.
This year, computer hacking represents 62% of the total notifications sent to the CNIL. Ransomware attacks dominate with 34.1% of incidents, followed by DDoS attacks (28.2%) and data theft (17.2%). The average cost of an information system shutdown exceeds €200,000 for an SME/ETI.
The victims of 2025: from the Mulliez empire to the State
Leroy Merlin announced on December 3 that it had suffered a cyberattack via the Dumpsec group, compromising the data of « a few hundred thousand » customers. Surnames, first names, telephone numbers, email and postal addresses, dates of birth, loyalty information. Bank data would be spared, but the brand has notified the CNIL and filed a complaint.
Auchan, another heavyweight of the Mulliez empire, experienced a similar scenario on August 21. Same types of stolen data, same method of attack, same promise of security of bank data. This is the second time in a year for the brand, which was already targeted in November 2024.
France Travail has suffered at least three major attacks in 2025. The most recent, detected on 30 November, exposed the data of 1.6 million young people followed by local missions. On July 23, a first attack had already paralyzed its systems. On August 12, a job portal for companies was compromised.
Bouygues Telecom saw more than six million customer accounts affected at the beginning of August, this time including bank details. The Urssaf, the French football and shooting federations, and Colis Privé have also been victims of intrusions.
VSEs/SMEs in the crosshairs
Despite this media focus on large companies, SMEs are the most exposed. In 2025, 16% of the companies surveyed say they have been the victim of one or more incidents in the last 12 months. French organizations suffered 385,000 cyberattacks in 2022, or more than 1,050 attacks per day. 67% of French companies say they have experienced at least one cyberattack in 2024, compared to 53% in 2023.
However, 78% of VSEs/SMEs say they are insufficiently prepared for online threats. Only a third are adequately prepared for cyber threats. 72% of VSEs/SMEs do not have any employees dedicated to security. Lack of knowledge and expertise (63%), budget constraints (61%) and lack of time (59%) hinder any improvement.
The French-speaking market under close scrutiny
Switzerland: ninth most targeted country in Europe
Switzerland accounts for 3.3% of European victims of cyberattacks, ranking ninth in Europe. In 2024, approximately 63,000 incidents were reported, an increase of 28% compared to 2023. Phishing is on the rise: the Federal Office for Cyber Security (FOCS) recorded more than 975,000 messages in 2024, compared to less than 500,000 in 2023.
Since April 2025, critical infrastructure operators have been required to report any cyberattacks within 24 hours. The financial, IT and energy sectors are the most affected. Identity-based attacks increased by 32% in the first half of 2025, of which more than 97% were password attacks.
Belgium and other French-speaking territories
The data specific to Belgium are less centralized, but the trends can be observed throughout the French-speaking world. Ransomware attacks spread through supply chains, affecting IT vendors who serve customers in multiple French-speaking countries simultaneously. Bands like Cl0p, Akira or Black Basta don’t stop at borders.
European regulatory obligations (NIS2, GDPR) apply uniformly, creating a market where non-compliance is costly. French-speaking companies must now comply with reporting deadlines of 24 to 72 hours, under penalty of heavy penalties.
Attack methods that exploit human error
Dumpsec and the New Wave of Cybercriminals
The Dumpsec group, responsible for the Leroy Merlin attack, illustrates a major trend: the exploitation of human error. According to expert Clément Domingo, Dumpsec used an employee’s compromised access to circulate in internal systems. The band’s frontman said, « We’ve had access for 1 month and we started dumping last week… human error as usual for intranets like this ».
This emerging group is suspected of being behind several recent attacks: IT service providers for hundreds of French town halls, Colis Privé, and other French targets. Dumpsec represents a new generation of cybercriminals who are not looking to exploit complex technical vulnerabilities, but to take advantage of human negligence.
Phishing: the weapon of choice
About 60% of the cyberattacks recorded in France in 2024 started with a phishing attempt. This proportion is similar in Switzerland, where phishing accounts for the majority of incidents. The so-called » ClickFix » technique is experiencing explosive growth of 500% in the first half of 2025.
Deepfakes, used in 9% of attacks, make it possible to simulate the voice or face of a manager for fraudulent transfer requests. Identity-based attacks account for more than 97% of password attempts.
Exploitation of identities and access
Intrusions via Active Directory have increased by 37% in one year. Data exfiltration attacks have doubled. Cybercriminals target servers less than user accounts, especially privileged accounts.
Once inside, attackers use techniques like pass-the-hash to escalate privileges, often in less than two hours. They disable defenses (Windows Defender, firewall) before encrypting files or exfiltrating data.
Why WordPress Platforms Are Particularly Vulnerable
WordPress powers 43% of the world’s websites, but this dominance comes with structural vulnerability. The 78% of insufficiently prepared VSEs/SMEs mainly use WordPress for their online presence. 72% have no employees dedicated to security.
WordPress-specific threats in 2025 include:
- Outdated plugins not updated (63% of companies cite lack of time as a barrier)
- Weak passwords shared via email
- Admin access never seen or disabled
- Lack of two-factor authentication (only 26% of VSEs/SMEs have deployed it)
- Lack of an attack detection solution (84% of companies do not have one)
The average WordPress user installs 5-10 plugins, but never checks where they came from or their security history. Updates are postponed due to « lack of time ». Backups are non-existent or untested. Connection logs are never viewed.
This neglect creates an ideal hunting ground for bands like Dumpsec. A simple leak of administrator credentials, compromised FTP access, or a poorly secured plugin are enough to turn a WordPress site into a gateway to the company’s entire information system .
HiveProtect.ai: prevention rather than cure
The principle of proactive security
HiveProtect.ai doesn’t just react to attacks, it prevents them. Designed specifically for the WordPress ecosystem, the plugin tackles the root causes of the problems that allowed Dumpsec et al. to compromise Leroy Merlin and so many others.
Access management and two-factor authentication : While only 26% of VSEs/SMEs have two-factor authentication, HiveProtect.ai requires it by default for all administrator accounts. It detects unusual connections, suspicious IPs, and automatically blocks repeated attempts. If Dumpsec had targeted a platform protected by HiveProtect.ai, an employee’s compromised access would have been neutralized in a matter of minutes.
Continuous monitoring and intrusion detection : Unlike the 84% of companies without a detection solution, HiveProtect.ai analyzes abnormal behavior in real time. Attempts to escalate privileges, access to sensitive files, execution of suspicious scripts: every action is scrutinized. The pass-the-hash technique used by modern ransomware is detected and blocked before it causes any damage.
Protection against phishing and social engineering : While 60% of attacks start with phishing, HiveProtect.ai incorporates mechanisms to verify identities and validate sensitive actions. A request to change a password, a change of email address, the addition of a new administrator: each critical action triggers a multi-step validation. Deepfakes and identity theft, up 9%, are not enough to circumvent these protections.
Plugin and vulnerability management : The plugin automatically scans installed extensions, checks their security history, alerts on known vulnerabilities , and can block access to compromised plugins. It prevents the installation of malicious code via tampered updates, a technique used by modern ransomware groups.
Automated regulatory compliance : With NIS2 and GDPR, companies need to report incidents within short timeframes. HiveProtect.ai automatically generates incident reports, maps sensitive data and provides the necessary elements to the CNIL. No need to panic about a breach: evidence is collected, procedures activated.
The specific approach for VSEs/SMEs
HiveProtect.ai understand that 61% of small businesses are held back by budget constraints. Unlike enterprise solutions costing thousands of euros per month, the plugin integrates into an accessible SaaS model, with a freemium to get started without any upfront investment.
The interface is designed for non-specialist users: no technical jargon, clear recommendations, automated actions. The lack of knowledge (63% of companies) is no longer an obstacle, but a solved problem.
Summary table of major incidents 2025 in France
| Company/Organization | Date of Attack Compromised | Data | Number of Victims | Suspicious Group |
|---|---|---|---|---|
| Leroy Merlin | November 30, 2025 | Names, contacts, dates of birth, loyalty data | « A few hundred thousand » | Dumpsec |
| Auchan | August 21, 2025 | Names, contacts, loyalty card numbers | « A few hundred thousand » | Not claimed |
| France Travail | November 30, 2025 | Personal data of young people in local missions | 1.6 million | Not claimed |
| Bouygues Telecom | Early August 2025 | Bank details and customer data | More than 6 million | Not claimed |
| Private Parcel | 2025 | Customer data not specified | Not disclosed | Dumpsec (suspected) |
| URSSAF | 2025 | Data not specified | Not disclosed | Not claimed |
| Sports federations | 2025 | Member data | Not disclosed | Not claimed |
| City hall IT service providers | 2025 | Administrative data | Several hundred town halls | Dumpsec (suspected) |
Recommendations for surviving the 2025 wave
1. Adopt a default security posture
The 58% of VSEs/SMEs who think they benefit from a good level of protection are often mistaken. Security is not decreed, it is implemented. Enable two-factor authentication on all your critical accounts, not just WordPress. Use password managers (only 46% of companies have them).
2. Automate monitoring
You can’t supervise 24 hours a day. HiveProtect.ai does it for you. Set up immediate alerts on any suspicious activity: new admin login, modification of critical files, attempt to access restricted areas. The 15% of companies that plan to increase their cybersecurity budget in 2025 are investing in automation, not manual solutions.
3. Continuously train and raise awareness
Phishing thrives on ignorance. Deepfakes (9% of attacks) and the ClickFix technique (+500%) require continuous education. Gather your teams every month. HiveProtect.ai provides blocked attempt reports: use them as concrete teaching materials.
4. Test your recovery plans
Ransomware encrypts data in less than two hours. Do you have a recent backup? Tested? Stored offline? 75% of companies that pay the ransom do not recover all of their data. HiveProtect.ai includes automatic and secure backups, with one-click restore.
5. Anticipate regulatory obligations
NIS2 requires reporting within 24 to 72 hours. The GDPR punishes up to 4% of turnover. Prepare your procedures now. HiveProtect.ai generates reports automatically, saving you from reporting errors and omissions.
6. Segment and limit privileges
Privilege escalation is the favorite technique of ransomware. Give each user only the rights that are strictly necessary. A contributor does not need admin access. HiveProtect.ai analyzes roles and suggests restrictions, preventing lateral access once an account is compromised.
The cybersecurity market in 2025: between maturity and urgency
The good news (rare good surprise)
More companies surveyed in 2025 believe they are highly exposed: 44% compared to 38% in 2024. This awareness is essential. 58% believe they have a good or very good level of protection (39% last year). The average number of security devices installed increased from 3.62 to 4.06.
Investments follow: 19% of companies increased their IT budget in 2025 compared to 13% in 2024. 15% plan to increase their cybersecurity budget, i.e. 5 points more.
The bad news (the reality on the ground)
Despite this progress, 1/4 of companies do not call on any specialized player. Nearly 3 out of 10 companies consider cybersecurity to be a non-priority. This figure increases by 11 points among the responding companies.
Obstacles persist: lack of knowledge (63%), budgetary constraints (61%), lack of time (59%). Managers remain unaware, despite the alarming reports of the Court of Auditors and the ANSSI.
Forecasts for 2026
The ANSSI plans to intensify threats with generative AI to automate the creation of polymorphic malware. Attacks on critical infrastructure will be prioritized, with reporting times reduced to 24 hours. Groups such as Dumpsec will multiply, specifically targeting French and French-speaking companies.
The costs of cyberattacks are expected to exceed €10 billion in France by the end of 2026. GDPR penalties will reach record highs. Unprepared companies will disappear.
Conclusion: Your WordPress is not an option, it’s a systemic risk
The Leroy Merlin attack is not an accident. This is a symptom of an epidemic that affects all companies, regardless of their size. The 3000 job cuts at Auchan, the millions of data compromised at Bouygues Telecom, the repetition of attacks on France Travail paint an implacable picture: no one is spared.
Your WordPress site, managed on the margins, with reused passwords, unupdated plugins , non-existent backups, is not a simple showcase site. It’s an entry point to your network, your customers, your data. Groups like Dumpsec are not looking for the richest targets, but the easiest ones. A poorly secured WordPress site is an open door.
HiveProtect.ai turns your WordPress from a vulnerability to a stronghold. It does not replace a global security policy, but it eliminates 90% of the attack vectors that compromise French SMEs. It automates what you don’t have time to do, it detects what you can’t see, it blocks what you didn’t suspect.
2025 was the year of awareness. 2026 will be the year of massive bankruptcies for unprotected companies. The statistics are clear, threats are documented, and cybercriminal groups are becoming more structured. Your choice is simple: wait for the CNIL’s email announcing the violation from your customers, or install HiveProtect.ai today.
PS : If you receive an email from Leroy Merlin, do not click on any link. If you receive an email from your own company, make sure it’s genuine. And if you’re administering a WordPress site, stop reading this article and check your passwords now. The 10 million rows of data that Dumpsec claims to hold may already contain yours.