Pass’Sport Data Breach Exposing 6.4 Million Accounts Originated from the French Ministry of Sports
Published
Key Takeaways
- Massive Exposure: A data breach involving the French Pass'Sport program has exposed approximately 6.4 million email addresses and sensitive personal information.
- Source Confirmation: While initially attributed to the Family Allowance Fund (CAF), the leak was confirmed to originate from the Ministry of Sports' information systems.
- Compromised Data: The 15 GB leaked dataset contains names, phone numbers, physical addresses, and genders, impacting roughly 3.5 million unique households.
A significant Pass'Sport data breach involving a 15 GB file that was initially posted on a criminal forum in December 2025. The file contained over 22 million entries, which, upon forensic analysis and deduplication, revealed the exposure of fewer unique email addresses.
The dataset was added to breach notification service Have I Been Pwned (HIBP) on January 18, 2026, confirming that 6.4 million accounts and associated personally identifiable information (PII) were exposed.
Technical Analysis and Attribution
The incident was initially misattributed to the Caisse d'Allocations Familiales (CAF), causing public concern regarding the security of family benefit data. However, subsequent investigations identified the true source as the backend systems of Pass'Sport, a government initiative offering sports subsidies to youths.Â
The Ministry of Sports, Youth, and Community Life officially acknowledged the French data leak, confirming exfiltration from one of its information systems.Â
Reports noted that the dataset included "id_psp" identifiers, confirming the data originated from the Pass'Sport infrastructure, which aggregates eligibility data from multiple agencies including the CAF, the MSA (farmers), and the CNOUS (students).
Official Cybersecurity Response and Mitigation
In response to the data breach, the Ministry announced it mobilized technical teams to contain the unauthorized access and assess the blast radius. A formal cybersecurity response was initiated, including the filing of a criminal complaint and mandatory notification to the Commission Nationale de l'Informatique et des Libertés (CNIL) within the statutory 72-hour window.Â
Among other notable breaches this month are the JPMorgan intrusion via law firm, impacting over 650 investors and the confirmed Grubhub data theft.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular