Back to Blog
high severity May 13, 2026 · scope unconfirmed

Filabé Listed by spacebears Ransomware Group

Filabé of Switzerland is a skincare company that uses a unique, additive-free technology to treat skin problems. Developed alongside dermatologists and pharmacists in Switzerland, the brand focuses on a science-based approach to skincare. In 2025, they won a PETA Award for "Best Vegan Innovation" due to their animal-friendly cosmetic concepts -Personal information of employees and clients -Financial documents -Other files https://www.filabe.ch/

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed May 13, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On May 13, 2026, Swiss skincare company Filabé appeared on the leak site of the spacebears ransomware group. The listing includes personal information of employees and clients, financial documents, and other internal files exfiltrated during a ransomware attack. Anyone who has purchased Filabé products, worked with the company, or had their details stored in its systems may now have sensitive data circulating among criminals.

Confirmed Facts from Public Reporting

Public reporting indicates that Filabé, a Switzerland-based brand known for additive-free, dermatologist-developed skincare formulas, was hit by a ransomware operation. The company gained attention in 2025 after winning a PETA Award for Best Vegan Innovation. Available reporting describes the stolen material as including employee and client personal information along with financial records. The exact number of individuals affected remains unknown. The data was exfiltrated and is now hosted on the spacebears ransomware leak site, accessible via the Tor network.

Why This Matters for You and Your Family

When a company that holds your name, address, phone number, email, or payment details suffers a breach, that information often resurfaces in identity theft schemes, phishing campaigns, or sold datasets. Personal information of employees and clients can give attackers enough to impersonate you, open accounts in your name, or target your family members. Financial documents raise the risk of tax fraud or unauthorized access to linked bank accounts. Even if you are not a direct customer, shared suppliers or partners can create unexpected exposure. For ordinary families, one breach like this can quietly feed months of fraud attempts that only surface when money goes missing or strange charges appear.

The Doxxing and Identity-Chain Implications

Ransomware leaks rarely stop at one company’s files. Criminals frequently cross-reference stolen client lists with other breaches to build detailed profiles. An email from the Filabé breach combined with a password from an earlier incident can unlock shopping accounts, loyalty programs, or even children’s gaming profiles that use the same credentials. These chains often lead to doxxing, where attackers publish home addresses, phone numbers, and family connections. Gaming accounts are especially vulnerable because children and teens reuse passwords and usernames across platforms; a single leak can cascade into harassment or account takeovers that expose the entire household.

Spacebears Ransomware Group Track Record

Public reporting attributes the attack to the spacebears ransomware group. The group emerged in late 2024 and has targeted organizations across Europe and North America. Notable prior victims include mid-sized manufacturing, retail, and healthcare companies. Their typical playbook involves gaining initial access through phishing or exploited remote desktop services, exfiltrating data before encryption, and then publishing samples on their leak site when ransom demands are ignored. Extortion pressure combines data exposure threats with offers to delete the stolen material for payment, a pattern seen in several incidents documented on ransomware tracking platforms.

What to do

  • Run a DoxxScan to map every link between your email addresses, phone numbers, usernames, and real-world identity so you can see exactly what the Filabé breach connects to.
  • Rotate any password you used on the Filabé site or related services and enable two-factor authentication through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next time your information appears it is caught within hours instead of months.
  • Cover the household with DoxxScan family protection that includes dependents and children’s gaming accounts, which often chain back to the same addresses and credentials exposed in breaches like this.
  • Let remediation specialists handle takedown requests across data brokers and leak sites while you focus on securing your own accounts.

The Filabé incident shows how quickly a single company’s security lapse can ripple into long-term risk for ordinary customers and their families. Taking concrete steps now limits how far attackers can travel along the identity chain that begins with this breach. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that explicitly protects children’s gaming accounts from cascading takeovers.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.