Cyber Incident Victim: Fédération Française de Football

The French Football Federation (FFF) disclosed a data breach impacting personal information of its members, employees, and volunteers in a February 21, 2025 email notification. Attackers compromised an account to access the federation’s data management software, extracting identity details including full names, birth dates and locations, nationalities, postal addresses, phone numbers, email addresses, photographs, and copies of identity documents. The FFF detected the intrusion on February 17, 2025, and promptly revoked the compromised account credentials. While the federation filed a criminal complaint and reported the incident to France’s National Cybersecurity Agency (ANSSI) and Data Protection Authority (CNIL), it did not disclose the exact number of affected individuals. The notification warned impacted parties about potential phishing attempts leveraging the stolen data.

Concurrently with the FFF’s disclosure, an actor advertised the stolen dataset for sale on BreachForums, a platform facilitating illicit data transactions. The seller claimed unauthorized access was achieved through a misconfigured Swagger UI API on the FFF’s systems but provided no specifics regarding the database’s record count. This individual had previously listed data allegedly stolen from French logistics firm Chronopost earlier that month. The incident occurred amid a surge in attacks targeting French sports organizations, with BreachForums listings during the same period offering data purportedly stolen from France’s boxing, archery, motorcycling, and mountaineering/escalade federations. The FFF’s breach represents a continuation of this pattern targeting sports administrative entities through compromised credentials and API vulnerabilities.