Skip to content
Vulnerability exploitContained

1,133,731 members - claimed leak at French University Sport Federation

In April 2026 a threat actor known as HexDex advertised the sale of a database stolen from France's university sport federation (FFSU), exposing the identities, contact details and registration data of roughly 1.1 million students, licensees and staff.

Victim
French University Sport Federation
records
1.1M

On 9 April 2026, the Fédération Française du Sport Universitaire (FFSU) — France's national university sport federation — became the subject of a claimed data leak when a threat actor operating under the alias HexDex advertised the sale of its membership database on cybercrime marketplaces. The dataset is reported to cover roughly 1.1 million people (about 1,133,731 records), spanning students, licensed members and staff affiliated with university sports.

According to the federation's own disclosure, the intrusion took place between 22 and 24 November 2025, when an unauthorized party exploited an application vulnerability — creating fraudulent user accounts and abusing an access-control flaw — to automatically extract licensee data from its platform. The stolen records were subsequently offered for sale months later.

The exposed data reportedly includes:

  • Full identities (surname, first name, date of birth)
  • Email addresses and phone numbers
  • Postal addresses
  • Sports and university registration details linking members to their institutions
  • In some cases, contact details of legal guardians

The FFSU says it patched the vulnerability, strengthened access controls and authentication, added request-rate limiting and monitoring, and notified the relevant authorities. The wider campaign — which also struck numerous other French sports federations and public bodies — was attributed to HexDex, a 20-year-old suspect arrested in western France around 21 April 2026 as part of an investigation led by the Paris prosecutor's cybercrime unit.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-04-09-federation-francaise-du-sport-universitaire
  2. cyberattaque.orghttps://www.cyberattaque.org/federation-francaise-de-sport-universitaire-ffsu-11-million-de-licencies-exposees/
  3. sport-u.comhttps://sport-u.com/35164-2/
  4. therecord.mediahttps://therecord.media/french-hacker-cyberattacks-arrest

Related incidents

Vulnerability exploitContained

Leak at I-Cad

I-Cad, France's national dog, cat and ferret identification registry, disclosed in March 2026 that a September 2025 software vulnerability had allowed automated querying of its database, exposing users' email addresses and fuelling phishing campaigns against pet owners.

Victim
I-Cad
Vulnerability exploitContained

Leak at Maeva

In May 2026, Maeva — the holiday-rental brand of Pierre & Vacances-Center Parcs — disclosed a breach in which an attacker scraped up to ten years of booking data, exposing names, dates of birth, phone numbers and stay details for around 4.5 million customers across 1.6 million reservations.

Victim
Maeva