Skip to content
Supply chainContained

Data leak at UFOLEP (via Exalto)

On 10 December 2025, UFOLEP — the French multi-sport federation — disclosed that a compromised account on its third-party licence-management provider Exalto exposed at least 3,624 member records, including identity, contact and legal-guardian details.

Victim
UFOLEP
records
3.6K
SectorOther

On 10 December 2025, UFOLEP — the Union Française des Œuvres Laïques d'Éducation Physique, a national French multi-sport federation organised as a 1901 association — disclosed a data leak affecting its members. The exposure did not originate in UFOLEP's own systems but on the management platform of Exalto, the third-party provider it uses to administer membership licences.

According to the reporting, an attacker gained access through a compromised user account on the Exalto platform, then browsed and exfiltrated member profiles available to that account. Because the breach occurred at a service provider rather than in UFOLEP's infrastructure, the incident is best characterised as a supply-chain / third-party-processor compromise. At least 3,624 member records were affected.

The exposed data spanned identity and contact information, including:

  • First and last name
  • Date and place of birth
  • Nationality
  • Postal address, email address and phone number
  • Legal guardian's contact details (for minors)
  • Consent status

The compromise was a confidentiality breach contained within the Exalto environment, with no reported impact on the availability or integrity of UFOLEP's services. The sensitivity of the leaked data was assessed as low, though the inclusion of minors' and guardians' details raises the practical risk for affected members.

Sources

  1. stroople.comhttps://www.stroople.com/data-breach-observatory/data-breach-ufolep-december-2025/
  2. bonjourlafuite.eu.orghttps://bonjourlafuite.eu.org/#UFOLEP-2025-12-10

Related incidents

Supply chainContained

Leak at French Archery Federation (via ITAC)

On 20 January 2025 the French Archery Federation (FFTA) disclosed a breach stemming from a flaw at its shared license-management provider; a dataset of 625,434 accounts (names, dates of birth, postal addresses, phones, emails, profile photos) was offered for sale online.

Victim
French Archery Federation
Supply chainUnknown

Leak at French Strength Federation

In January 2025, the Fédération Française de Force (FFForce) had personal data of 64,512 members exposed via a compromised shared sports-licensing IT provider; records (names, dates of birth, emails, postal addresses, phone numbers) were later sold on BreachForums.

Victim
French Strength Federation
Records
64.5K
Supply chainContained

Leak at French Roller Skateboard Federation

In January 2025, the Fédération Française de Roller et Skateboard had the personal data of roughly 577,000 members exposed after a shared sports-federation IT provider was compromised; names, dates of birth, email/postal addresses and phone numbers were leaked.

Victim
French Roller Skateboard Federation
Records
577.1K