Skip to content
Supply chainContained

12 million employees affected by the Urssaf DPAE data leak

On 19 January 2026, France's Urssaf disclosed fraudulent access to its DPAE pre-hire declaration API via a compromised partner account, exposing the names, dates of birth, employer SIRET and hire dates of around 12 million employees hired in the past three years.

Victim
Urssaf — DPAE
records
12.0M

On 19 January 2026, Urssaf — France's network of agencies that collect social-security and family-benefit contributions — disclosed a fraudulent access to the API behind the Déclaration Préalable à l'Embauche (DPAE), the mandatory pre-hire declaration employers file for every new recruit.

The intrusion was not a direct breach of Urssaf's core systems. Attackers used the stolen credentials of an authorized institutional partner account whose login details had been compromised in an earlier cyberattack targeting that partner. With those credentials, they queried the DPAE API and accessed records of roughly 12 million employees hired within the previous three years.

The data consulted and potentially exfiltrated was limited to:

  • Last name and first name
  • Date of birth
  • Employer SIRET (business identification number)
  • Date of hire

Urssaf stated that no bank details (RIB) and no social-security numbers were exposed.

Upon detecting the unauthorized access, Urssaf immediately suspended the partner account and the affected API access. It notified both the CNIL (the French data-protection authority) and ANSSI (the national cybersecurity agency), and said it was reinforcing security by generalizing multi-factor authentication for partner connections. Affected employees were urged to stay vigilant against phishing and identity-fraud attempts using the exposed information.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-01-19-urssaf-dpae
  2. 20minutes.frhttps://www.20minutes.fr/faits_divers/4196942-20260119-urssaf-victime-acces-frauduleux-donnees-12-millions-salaries-potentiellement-concernes
  3. urssaf.frhttps://www.urssaf.fr/accueil/actualites/acces-frauduleux-api-dpae.html
  4. next.inkhttps://next.ink/brief_article/nouvelle-fuite-de-donnees-a-lurssaf-12-millions-de-victimes-potentielles/

Related incidents

Supply chainContained

Leak at Contrat d'intégration républicaine

France's OFII immigration agency notified signatories of the Contrat d'intégration républicaine that a January 2026 breach via a compromised subcontractor exposed the names, emails, phone numbers and postal addresses of roughly 2.1 million people.

Victim
Contrat d'intégration républicaine
Records
2.1M