What happened
On February 25, 2026, Alinto identified an unintentional data exposure on the Serenamail SaaS service (transactional email sending).
This exposure lasted 21 days and affected Serenamail logs covering the period from November 28, 2025 to February 10, 2026.
Data affected
The exposed logs contained the following information:
- Sender email addresses — 726,276 unique addresses
- Recipient email addresses — 4,441,022 unique addresses
- Client IP addresses — 4,726 IPs
- Email send date, size, and delivery status
- Client names
Total volume: 38,095,742 emails affected, including 5,167,298 unique addresses, across 176 Serenamail accounts.
No passwords, message content, or financial data were exposed.
What we did
- Immediate remediation of the exposure upon detection
- Registration in our security incident register
- Strengthening of technical measures to prevent recurrence
- Compliance actions:
- Declaration to the CNIL under reference FR2604100900002
- Notification of affected clients
- ANSSI notification under reference RM#1073950
To date, no trace of data extraction or exfiltration from our systems has been found.
If you believe you are affected by this exposure, contact our security team by clicking here.
