12 million employees affected by the Urssaf DPAE data leak
On 19 January 2026, France's Urssaf disclosed fraudulent access to its DPAE pre-hire declaration API via a compromised partner account, exposing the names, dates of birth, employer SIRET and hire dates of around 12 million employees hired in the past three years.
- Victim
- Urssaf — DPAE
- records
- 12.0M
On 19 January 2026, Urssaf — France's network of agencies that collect social-security and family-benefit contributions — disclosed a fraudulent access to the API behind the Déclaration Préalable à l'Embauche (DPAE), the mandatory pre-hire declaration employers file for every new recruit.
The intrusion was not a direct breach of Urssaf's core systems. Attackers used the stolen credentials of an authorized institutional partner account whose login details had been compromised in an earlier cyberattack targeting that partner. With those credentials, they queried the DPAE API and accessed records of roughly 12 million employees hired within the previous three years.
The data consulted and potentially exfiltrated was limited to:
- Last name and first name
- Date of birth
- Employer SIRET (business identification number)
- Date of hire
Urssaf stated that no bank details (RIB) and no social-security numbers were exposed.
Upon detecting the unauthorized access, Urssaf immediately suspended the partner account and the affected API access. It notified both the CNIL (the French data-protection authority) and ANSSI (the national cybersecurity agency), and said it was reinforcing security by generalizing multi-factor authentication for partner connections. Affected employees were urged to stay vigilant against phishing and identity-fraud attempts using the exposed information.
Sources
- fuitesinfos.frhttps://fuitesinfos.fr/article/2026-01-19-urssaf-dpae
- 20minutes.frhttps://www.20minutes.fr/faits_divers/4196942-20260119-urssaf-victime-acces-frauduleux-donnees-12-millions-salaries-potentiellement-concernes
- urssaf.frhttps://www.urssaf.fr/accueil/actualites/acces-frauduleux-api-dpae.html
- next.inkhttps://next.ink/brief_article/nouvelle-fuite-de-donnees-a-lurssaf-12-millions-de-victimes-potentielles/