Skip to content
Supply chainContained

728,732 members - claimed data leak at French Motor Sport Federation

On 24 February 2026, a threat actor claimed to be selling a database of 728,732 members of the French Motor Sport Federation (FFSA), exposing names, dates of birth, postal and email addresses, phone numbers and licence details after a third-party provider was compromised.

Victim
French Motor Sport Federation

On 24 February 2026, the French Motor Sport Federation (FFSA) — the governing body for motorsport (karting, rally, circuit racing) in France — was named in a claimed data leak in which a threat actor advertised a database of its members for sale on cybercrime forums such as BreachForums.

The incident is part of a broader wave of intrusions against French sports federations. Investigators tied the compromise to a vulnerability at a third-party IT provider that managed licensing and administrative systems for multiple federations, allowing an attacker (operating under the alias "TheFrenchGuy") to extract member databases. The FFSA detected unauthorised access to data on its website www.ffsa.org, took the site offline, and launched a technical investigation.

The data exposed reportedly included:

  • Full names (first and last)
  • Dates of birth
  • Postal addresses
  • Email addresses
  • Phone numbers
  • Licence and federation details

No passwords, banking data or medical information were reported as compromised. The seller claimed a database of 728,732 members, though the precise scale is disputed across reporting, with figures ranging from roughly 356,000 licensees to as high as 1.7 million members.

The FFSA publicly confirmed the breach on 16 February 2026, apologised to members, notified the French data-protection authority (CNIL), filed a criminal complaint, and warned licensees of a heightened risk of targeted phishing using their genuine contact details. Affected members were directed to dpo@ffsa.org.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-24-federation-francaise-du-sport-automobile
  2. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-01-15-federation-francaise-du-sport-automobile-ffsa
  3. zataz.comhttps://www.zataz.com/piratage-massif-des-federations-sportives-francaises-45-millions-de-donnees-vendues/
  4. kartcom.comhttps://www.kartcom.com/en/news/2026/02/14/nouvelle-cyberattaque-a-la-ffsa/

Related incidents

Supply chainContained

Leak at La Mine Bleue (via Vivaticket)

On 31 March 2026, French tourist attraction La Mine Bleue notified customers that their personal data — names, postal code/country, email and purchase history — was exposed in the ransomware breach of its ticketing provider Vivaticket; no banking data was affected.

Victim
La Mine Bleue