Skip to content
Data breachContained

French Basketball Federation (FFBB): 1.9 million licence holders exposed in a massive leak

On 17 April 2026, France's Basketball Federation (FFBB) disclosed that fraudulent access to a user account let an attacker (alias HexDex) extract identity, contact and licence data on up to 1.9 million members and roughly 800,000 parents.

Victim
French Basketball Federation (FFBB)
records
1.9M

On 17 April 2026, the French Basketball Federation (FFBB) — the national governing body for basketball in France — disclosed a large-scale data breach affecting the personal data of its licence holders and their families. A threat actor operating under the alias HexDex claimed to be selling a database of 1,926,409 members along with roughly 800,000 associated parents.

According to the FFBB, the breach stemmed from fraudulent access to a single user account, which was abused to operate the federation's licensee-management tool through its edition-management module and extract personal records. No software vulnerability or ransomware was reported; the incident was an account compromise leading to unauthorized data exfiltration. The data protection authority (CNIL) was notified in line with GDPR obligations.

The exposed information concerned up to 2 million licensees and around 900,000 legal representatives, including:

  • Identity data: name, first name, date of birth
  • Contact details: postal address, email address, telephone number
  • Licence and club-membership information

The FFBB stated that no banking data, passwords, or health/sensitive data were compromised (though HexDex separately claimed to hold additional fields such as medical certificates). The federation warned that the primary risk for members and families is phishing, with scammers potentially impersonating the FFBB. French authorities identified and arrested the suspected perpetrator on 21 April 2026, four days after the leak was disclosed.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/ffbb-federation-francaise-basket-1-9-million-licencies-et-800000-parents-fuite-massive/
  2. ffbb.comhttps://www.ffbb.com/actualites/la-ffbb-informe-dun-acces-non-autorise-a-ses-donnees-licencies
  3. franceinfo.frhttps://www.franceinfo.fr/sports/basket/cyberattaque-la-federation-francaise-de-basket-revele-une-fuite-de-donnees-de-pres-de-deux-millions-de-licencies_7974797.html

Related incidents

Data breachOngoing

Leak at La France Insoumise

In May 2026, France's La France Insoumise party had data from its Action Populaire activist platform stolen and posted on a hacking forum, exposing some 120,000 email addresses, 20,000 phone numbers, postal addresses and member activity spanning 2017-2026.

Victim
La France Insoumise