Alinto Email Data Leak Exposes 40 Million SMTP Records Tied to Major Companies and French Government Agencies

What happened

An Alinto data leak exposed more than 40 million SMTP records through a publicly accessible Elasticsearch cluster, revealing large volumes of business and government email traffic metadata. The exposed data was discovered in late February 2026 and was linked to infrastructure hosting an SMTP server under Cleanmail.eu, Alinto’s email security relay solution. The leaked records included sender and recipient email addresses, location details, and relay IP addresses. At least 4.5 million of the 40 million records were unique email addresses. The exposed data included traffic tied to organizations such as L’Oreal, Renault, Carrefour, DHL, and Hermes, as well as at least 14,000 unique French government email addresses connected to embassies, municipalities, and other government entities. The database was secured the day after disclosure.

Who is affected

The direct exposure affects organizations and individuals whose email traffic metadata passed through Alinto infrastructure, particularly users of Cleanmail.eu. The leak included major corporate domains and thousands of French government email addresses, exposing both private-sector and public-sector communications patterns.

Why CISOs should care

This incident matters because even without email content, traffic metadata can reveal who communicates with whom, when they communicate, and how messages are routed. That can support phishing, impersonation, and relationship mapping against both corporate and government targets. The exposure also widens the attack surface because it affects client organizations whose traffic passed through a third-party email service provider.

3 practical actions

1. Treat email metadata as sensitive operational data: Protect sender-recipient relationships, timestamps, relay data, and location details as information that can support targeted attacks even when message content is not exposed.
2. Review third-party email service exposure: Identify what communication metadata is visible to outside email service providers and whether those systems create concentration risk for large groups of clients.
3. Plan for phishing risk after metadata leaks: Alert exposed users and high-value staff to watch for impersonation attempts that may align with expected contacts, timing, or communication patterns.

For more news about incidents involving exposure of sensitive organizational data, click Data Breach to read more.