Leak at French Football Federation
In February 2025 the French Football Federation (FFF) suffered a data breach via a compromised account on its licensee-management platform; at least ~43,000 users had personal data exposed, including names, contact details, and copies of ID documents.
- Victim
- French Football Federation
On 21 February 2025, the French Football Federation (FFF) β the governing body for football in France β began notifying members that their personal data had been stolen, after unauthorized access was detected in its information system on 17 February 2025. The intrusion targeted the software used to manage the data of licensees and administrative officials.
According to the FFF and the cybersecurity outlet ZATAZ, the attacker did not exploit a software flaw but instead used a compromised user account that granted access to the licensee-management platform (an abused/misconfigured API used across federations). At least around 43,000 users were confirmed affected, though the threat actor publicly claimed to hold data on as many as 10 million people and sought to sell it. A second dataset, drawn from the officiels.fff.fr referees platform, was later dumped at the end of February.
Exposed data categories included:
- First name, last name, gender
- Date and place of birth, nationality
- Postal address, email address, phone number
- Photograph and a copy of the ID document
The FFF stated that passwords, banking details, and health data were not compromised. In response, it immediately disabled the affected account, worked to secure the software and data, filed a criminal complaint, and notified the relevant authorities. The breach is considered contained.
Sources
- fff.frhttps://www.fff.fr/article/14230-communique-du-26-fevrier-relatif-au-vol-de-donnees.html
- zataz.comhttps://www.zataz.com/nouvelle-fuite-de-donnees-a-la-federation-francaise-de-football-plus-de-43-000-utilisateurs-concernes/
- infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/french-football-federation-data/