French Vacation Rental Brand Hit by Data Theft, Exposing 389,000 Customers to Targeted Scams

A major French vacation-rental network says hackers stole customer booking data, information that can be weaponized for highly convincing phishing and payment scams.

Gîtes de France, a well-known chain of countryside rentals roughly comparable to a U.S. mix of Vrbo-style listings and regional cabin networks, confirmed an “unauthorized access” tied to reservation files. The company says no bank card data was taken, but nearly 389,000 customers could be affected.

The breach lands amid a rough stretch for France’s tourism industry: two other big hospitality groups, Pierre & Vacances–Center Parcs and Belambra, reported similar incidents within a three-day span, according to French cybersecurity watchers.

What Gîtes de France says was stolen

In its statement, Gîtes de France framed the incident as a data theft focused on customer reservation records, not an outage or sabotage of its services. That distinction matters: the biggest risk for customers isn’t a canceled stay, it’s criminals using personal details to trick people into paying or handing over account access.

French Breaches, a site that tracks leaked data, estimated more than389,000customers may be impacted. The alleged attacker claimed access to six months of data, including more than41,000detailed reservations and over42,000customer bookings, suggesting structured files, not just a list of email addresses.

The compromised information reportedly includes names, email addresses, phone numbers, mailing addresses, and stay details such as dates and number of nights. That’s the kind of context scammers love: it lets them craft messages that feel real because they are built around real trips.

Gîtes de France saysno banking datawas collected. That’s reassuring, but it doesn’t eliminate the danger. A scammer doesn’t need your credit card number if they can convince you to click a fake payment link or “reconfirm” a deposit.

A claim of decades of records, and data tied to minors

One of the most alarming claims circulating from French Breaches: the attacker said the dataset spans from1995 to 2026, more than 30 years of booking history. Even if the most detailed access was limited to a shorter window, older databases are often less segmented and less protected, making them attractive targets.

French Breaches also flagged the potential presence of data connected to children and minors included in reservations, reportedly around360,000entries. That could mean names of occupants, ages, or other details about who was traveling. Even without financial information, data involving kids raises the stakes because families typically aren’t monitoring a child’s identity the way they might watch a credit report.

The attacker reportedly described the hack as a bid for “visibility,” a familiar line in some corners of the hacking world. For customers, the motive doesn’t change the reality: once personal data is out, it can be resold, reused, and cross-referenced with other leaks.

Why France’s tourism sector is suddenly a target

Gîtes de France isn’t alone. Within three days, Pierre & Vacances–Center Parcs and Belambra also disclosed incidents involving reservation-related data. The clustering has fueled concerns that attackers are probing the same kinds of systems across the industry, web booking tools, call-center software, and older databases that may not be uniformly secured.

Pierre & Vacances–Center Parcs cited far larger numbers: a leak tied to1.6 millionreservations and potentially up to4.5 millioncustomers. The company said it identified and fixed the vulnerability and notified France’s privacy regulator, theCNIL, the French counterpart to a mix of U.S. state privacy enforcers and the FTC’s consumer-protection role.

Belambra, which operates44vacation clubs in France, acknowledged unauthorized access to part of its digital infrastructure and some reservation-file data. In each case, the prize for criminals is the same: identity and trip context that can be turned into believable fraud.

French Breaches’ founder has suggested the same attacker may be behind all three incidents. If that holds up, it points to a repeatable playbook, one that can be scaled across an entire sector.

The real-world risks: phishing, impersonation, and “urgent” payment demands

The top threat istargeted phishing. When a message includes your name, your travel dates, and a plausible reason to act fast, people are more likely to comply. Scammers can pose as customer support, a property owner, or a booking agent, by email, text, or phone (so-called “vishing”).

A second risk isidentity misuse, opening accounts, requesting quotes, or attempting password resets using personal details. Even without card data, criminals can sometimes manipulate victims into sharing one-time passcodes sent by text or email.

A third common play: the “adjustment” scam. Think a message claiming you owe a tourist tax, cleaning fee, missing deposit, or security hold, paired with a link to a lookalike payment page. A realistic amount makes it easier to swallow. For example, a demand for€79is about$85at current exchange rates, low enough that some people might pay just to make the problem go away.

What customers should do now

Start by treating any booking-related email or text as suspicious, especially anything pushing urgency or payment. Don’t click the link. Go to the company’s site by typing the address yourself, or use the official app you normally use. If you need to call, use a phone number from the official website, not the message you received.

If you have an account tied to your reservations, change that password and don’t reuse it elsewhere. Turn on two-factor authentication wherever it’s available. Your email account is the linchpin for password resets, so lock it down with a strong, unique password and 2FA.

If you receive a scam attempt, save the evidence, emails, screenshots, phone numbers, and report it through the relevant platforms. If money moved, contact your bank immediately and file a police report. The companies involved have said they plan to file complaints; for victims, documentation is what helps investigators and financial institutions act.

Gîtes de France has said it will begin notifying customers starting the Monday following its confirmation of the breach. Those notices typically outline what data was involved and how to get help, but the most important protection in the coming weeks will be skepticism toward any message that tries to rush you into paying.