Skip to content
Data breachContained

Leak at French Cycling Federation

On 10 December 2025, the Fédération Française de Cyclisme detected an intrusion (via stolen credentials/infostealers, no MFA) exposing licensees' names, dates of birth, nationality, postal addresses, emails and phone numbers; group Dumpsec also claimed to hold ID documents.

Victim
French Cycling Federation
SectorOther

On 10 December 2025, the Fédération Française de Cyclisme (FFC) — France's national governing body for cycling — disclosed that it had detected an unauthorized intrusion into its information system. The federation said the breach occurred during the night of 8–10 December and was identified on 10 December.

According to reporting, the attackers gained access through compromised user credentials harvested by infostealer malware on members' workstations, exploited via the federation's online "Espace Club" / licensing platform. The absence of multi-factor authentication facilitated the unauthorized access. The FFC filed a complaint and notified the French authorities.

Personal data captured during licence registration was potentially accessed:

  • First and last name
  • Date of birth and nationality
  • Postal address
  • Email address
  • Telephone number

The FFC stated that its document database and the identity documents stored on the Espace FFC were not affected. However, the cybercriminal group Dumpsec publicly claimed the leak was far larger and said it held samples of thousands of identity documents (national IDs, passports) — a claim the federation disputes and which has not been independently verified. A significant share of those affected are minors holding youth licences. The FFC reset all user passwords, suspended some platform functions, and notified ANSSI and the CNIL while announcing the rollout of multi-factor authentication. The incident formed part of a wave of late-2025 breaches affecting French sports federations.

Sources

  1. structures.ffc.frhttps://structures.ffc.fr/incident-securite-informatique/
  2. sportbusiness.clubhttps://www.sportbusiness.club/cyclisme-la-federation-francaise-victime-dune-attaque-informatique/
  3. prodpress.euhttps://www.prodpress.eu/cyberattaque-federation-francaise-de-cyclisme-revendication-preuves-et-defaillances-structurelles/
  4. next.inkhttps://next.ink/218887/tennis-speleologie-nouvelles-fuites-de-donnees-chez-les-federations-sportives/

Related incidents

Data breachContained

Leak at French Speleology Federation

On 31 December 2024 the French Speleology Federation (FFS) disclosed a data leak from its insurance-subscription portal, exposing members' identity, contact details, nationality, profession and licence numbers as part of a wider wave of attacks on French sports federations.

Victim
French Speleology Federation
Data breachUnknown

Leak at French Kick Boxing Federation

In late December 2025, the French Kick Boxing Federation (FFKMDA) had its member database leaked on BreachForums, exposing 361,321 licensees' names, dates of birth, nationalities, contact details, postal addresses and licence records across 2015-2026 seasons.

Victim
French Kick Boxing Federation
Records
361.3K
Data breachContained

Leak at French Swimming Federation

Data on roughly 1.3 million members of the French Swimming Federation (FFN) was put up for sale on BreachForums on 23 December 2025 after its Extranat management platform was breached, exposing identity details, contact information and licence numbers.

Victim
French Swimming Federation
Records
1.3M
Data breachUnknown

Leak at 123 casting

On 22 December 2025, a database of roughly 240,000 users of French casting platform 123casting was published on BreachForums, exposing identities, contact details, MD5-hashed passwords, physical measurements, ethnic origin, photo/video books, private messages and payment data.

Victim
123 casting
Records
240.0K