Alinto, a prominent French email solutions provider, has accidentally exposed tens of millions of records belonging to major global corporations and French government agencies.
The leak, first discovered and reported by researchers at Cybernews, has raised significant concerns over the security of enterprise email traffic and the potential for sophisticated social engineering attacks.
The breach centres on a public Elasticsearch cluster containing approximately 40 million SMTP (Simple Mail Transfer Protocol) records. According to the Cybernews investigation, the server hosting the leaked data was also running an SMTP server under Cleanmail.eu, Alinto’s flagship email security relay solution.
While the leaked database did not contain the actual body content of the emails, it provided a granular, high-definition map of communication metadata. This included sender and recipient email addresses, precise timestamps, relay IP addresses and location details. Of the 40 million records analyzed, researchers identified at least 4.5 million unique email addresses.
Security experts warn that even without message contents, this metadata is “gold dust” for cybercriminals. By analyzing sender and recipient patterns, attackers can perform highly targeted social engineering. “Large email data leaks invite social engineering attacks against exposed organizations,” the Cybernews team warned
By cross-referencing names found in the leaked addresses with professional networking sites, attackers can identify high-value targets with elevated system access. This allows for “spear-phishing” campaigns that are far more convincing, as an attacker can accurately impersonate a known contact, referencing specific times and relay points to bypass a victim’s natural suspicion.
Alinto is a major player in the European “clean mail” space, claiming to process 100 million emails daily with a specific focus on high-level security for large enterprises. However, this leak effectively mapped out the communication flows of some of the world’s most recognisable brands and sensitive public institutions.
Affected entities reportedly include automotive giant Renault, retail leader Carrefour, logistics firms DHL and Hermes, and the beauty conglomerate L’Oreal. Perhaps most concerningly, several French government institutions and agencies were also found within the exposed records.
Cybernews reached out to Alinto to disclose the vulnerability in late February. While the company did not provide a formal response or statement, the database was secured and removed from public access the following day.
For organizations relying on third-party security relays, the incident serves as a stark reminder that the very tools designed to protect communication can, through a single configuration error, become a primary source of institutional risk.