Skip to content
Supply chainContained

Leak at French Archery Federation (via ITAC)

On 20 January 2025 the French Archery Federation (FFTA) disclosed a breach stemming from a flaw at its shared license-management provider; a dataset of 625,434 accounts (names, dates of birth, postal addresses, phones, emails, profile photos) was offered for sale online.

Victim
French Archery Federation

On 20 January 2025, the French Archery Federation (Fédération Française de Tir à l'Arc, FFTA) — the national governing body for the sport of archery in France — disclosed a personal-data breach that had occurred in early January. The federation traced the incident not to its own systems but to a security flaw at the external provider that runs its online "license and officials" spaces — an extranet platform shared by dozens of French sports federations.

Because the same provider served many federations, the breach extended well beyond archery: the Fédération Française de la Montagne et de l'Escalade (climbing) reported a comparable compromise affecting around 120,000 licensees. A threat actor operating under the handle "TheFrenchGuy" advertised more than 600,000 records attributed to the FFTA for sale online; the dataset extracted by the ITAC processor for this record totals 625,434 accounts, a figure that likely reflects the full provider database rather than archery licensees alone.

Exposed data categories included:

  • Last name, first name and gender
  • Date of birth
  • Postal address
  • Phone number
  • Email address
  • Profile photo

Account passwords were reportedly stored encrypted and were not exposed in usable form. In response, the FFTA and its provider closed the exploited vulnerability and neutralised the malicious file, the federation notified France's data-protection authority (CNIL), filed a criminal complaint, and an external security audit was launched. The provider stated it had implemented reinforced technical security measures following the incident.

Sources

  1. ffta.frhttps://www.ffta.fr/actualites/information-dincident-donnees-personnelles
  2. zataz.comhttps://www.zataz.com/fuite-de-donnees-a-la-federation-francaise-de-tir-a-larc/
  3. manageengine.comhttps://www.manageengine.com/fr/blog/general/fuite-de-donnees-a-la-federation-francaise-de-tir-a-larc.html
  4. next.inkhttps://next.ink/166951/fuites-de-donnees-les-dessous-de-lattaque-contre-des-federations-francaises-de-sport/

Related incidents

Supply chainContained

Data leak at UFOLEP (via Exalto)

On 10 December 2025, UFOLEP — the French multi-sport federation — disclosed that a compromised account on its third-party licence-management provider Exalto exposed at least 3,624 member records, including identity, contact and legal-guardian details.

Victim
UFOLEP
Records
3.6K
Supply chainUnknown

Leak at French Strength Federation

In January 2025, the Fédération Française de Force (FFForce) had personal data of 64,512 members exposed via a compromised shared sports-licensing IT provider; records (names, dates of birth, emails, postal addresses, phone numbers) were later sold on BreachForums.

Victim
French Strength Federation
Records
64.5K
Supply chainContained

Leak at French Roller Skateboard Federation

In January 2025, the Fédération Française de Roller et Skateboard had the personal data of roughly 577,000 members exposed after a shared sports-federation IT provider was compromised; names, dates of birth, email/postal addresses and phone numbers were leaked.

Victim
French Roller Skateboard Federation
Records
577.1K