Skip to content
Credential stuffingOngoing

Leak at France Travail

In late October 2025, France Travail — France's public employment agency — disclosed a breach in which attackers used credentials harvested by infostealer malware to access job-seeker accounts and exfiltrate sensitive personal, identity and financial data; about 16,479 affected records were catalogued.

Victim
France Travail

On 29 October 2025, France Travail — France's national public employment agency (formerly Pôle Emploi) — confirmed that data had been extracted from job-seeker accounts following a cyberattack disclosed earlier that week. Rather than breaching the agency's core infrastructure directly, the attackers used login credentials harvested by infostealer malware running on job seekers' personal computers, then replayed them in a credential-stuffing campaign to log into individual accounts and exfiltrate the documents stored there.

The intrusion was claimed by the pro-Russian group Stormous, which boasted of tens of thousands of compromised accounts and roughly 30 GB of stolen data. France Travail confirmed that data had genuinely been extracted but could not, at that stage, validate the attackers' figures. The breach record catalogues about 16,479 affected individuals whose authentication data appeared in plaintext.

Exposed data categories included:

  • Civil-status details, postal address, phone number and email
  • National ID card scans
  • Bank details (RIB)
  • Employment contracts and tax notices
  • Social Security attestations, training certificates and work authorizations

France Travail filed a criminal complaint and notified France's data-protection regulator (CNIL), which opened an investigation. This was at least the third reported security incident at the agency in under two years, following the March 2024 breach affecting up to 43 million people and a July 2025 incident hitting hundreds of thousands of job seekers. The investigation remained ongoing at the time of disclosure.

Sources

  1. francebleu.frhttps://www.francebleu.fr/infos/faits-divers-justice/le-site-de-france-travail-victime-d-une-cyberattaque-lundi-des-donnees-ont-ete-extraites-9504464
  2. zataz.comhttps://www.zataz.com/france-travail-revendication-dexfiltration-par-credential-stuffing/
  3. usine-digitale.frhttps://www.usine-digitale.fr/article/france-travail-de-nouveau-victime-d-une-cyberattaque-la-troisieme-en-moins-de-deux-ans.N2240612

Related incidents

Data breachContained

Leak at France Travail

On 1 December 2025, France Travail and the Missions Locales network disclosed that an attacker who hijacked a local-mission agent's account accessed records of about 1.6 million young people, exposing names, dates of birth, social security numbers and contact details.

Victim
France Travail
Records
1.6M
Data breachContained

Leak at France Travail

On 6 October 2025, France Travail — France's national public employment agency — was hit by one of several 2025 data leaks, with personal records of roughly 5,500 job seekers exposed, including names, France Travail IDs, registration categories, email addresses, RSA welfare status and CIR identifiers.

Victim
France Travail
Data breachUnknown

Leak at France Travail

On 25 September 2025, a leak attributed to France Travail, France's public employment agency, exposed the personal data of about 9,971 job seekers, including their email addresses, names and the email address of their assigned advisor.

Victim
France Travail
Records
10.0K
Data breachContained

Leak at France Travail

On 12 August 2025, France Travail, France's public employment agency, disclosed unauthorized access to its employer-facing job portal that exposed the contact details of business users — names, email addresses, phone numbers and an internal technical identifier.

Victim
France Travail