Data leak at UFOLEP (via Exalto)
On 10 December 2025, UFOLEP — the French multi-sport federation — disclosed that a compromised account on its third-party licence-management provider Exalto exposed at least 3,624 member records, including identity, contact and legal-guardian details.
- Victim
- UFOLEP
- records
- 3.6K
On 10 December 2025, UFOLEP — the Union Française des Œuvres Laïques d'Éducation Physique, a national French multi-sport federation organised as a 1901 association — disclosed a data leak affecting its members. The exposure did not originate in UFOLEP's own systems but on the management platform of Exalto, the third-party provider it uses to administer membership licences.
According to the reporting, an attacker gained access through a compromised user account on the Exalto platform, then browsed and exfiltrated member profiles available to that account. Because the breach occurred at a service provider rather than in UFOLEP's infrastructure, the incident is best characterised as a supply-chain / third-party-processor compromise. At least 3,624 member records were affected.
The exposed data spanned identity and contact information, including:
- First and last name
- Date and place of birth
- Nationality
- Postal address, email address and phone number
- Legal guardian's contact details (for minors)
- Consent status
The compromise was a confidentiality breach contained within the Exalto environment, with no reported impact on the availability or integrity of UFOLEP's services. The sensitivity of the leaked data was assessed as low, though the inclusion of minors' and guardians' details raises the practical risk for affected members.
Sources
- stroople.comhttps://www.stroople.com/data-breach-observatory/data-breach-ufolep-december-2025/
- bonjourlafuite.eu.orghttps://bonjourlafuite.eu.org/#UFOLEP-2025-12-10