Skip to content
Data breachOngoing

French Savate Federation: nearly 680,000 licence holders exposed over 49 years

On 30 March 2026, the Fédération Française de Savate had a database of roughly 679,000 licence-holder profiles spanning 49 years (1977–2026) stolen and put up for sale by an actor known as HexDex, exposing names, contact details and sports-licensing information.

Victim
French Savate Federation
SectorOther

On 30 March 2026, the Fédération Française de Savate — the national governing body for savate (French kickboxing) and related disciplines — was hit by a data breach after an attacker exfiltrated and put up for sale a database of roughly 679,000 licence-holder profiles. The records reportedly span 49 years, from 1977 to 2026, meaning much of the historical data should have been deleted years earlier under data-retention rules.

The threat actor, operating under the alias HexDex, advertised the stolen database for sale and circulated sample records as proof. HexDex was later identified as a 21-year-old man who was arrested in the Vendée region on 20 April 2026; investigators linked him to a wider campaign against numerous French sports federations, including sailing, athletics, motorsport, gymnastics, skiing, rugby league, aikido, university sport, mountaineering/climbing and disabled sport.

The exposed data reportedly included:

  • Identity details (names)
  • Contact information (email, phone, postal address)
  • Sports-licensing data, including club and discipline affiliations

Given the breadth and 49-year depth of the dataset, the exposure carries a particularly high risk of targeted phishing, identity theft and long-term misuse of personal data. As of the disclosure date the data was being offered for sale, and no remediation statement from the federation had been published.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/federation-francaise-de-savate-pres-de-680-000-licencies-exposes-sur-49-ans/

Related incidents

Data breachOngoing

Leak at La France Insoumise

In May 2026, France's La France Insoumise party had data from its Action Populaire activist platform stolen and posted on a hacking forum, exposing some 120,000 email addresses, 20,000 phone numbers, postal addresses and member activity spanning 2017-2026.

Victim
La France Insoumise