The French Football Federation confirmed this week that attackers used stolen credentials to breach centralized administrative software managing club memberships nationwide, exposing personal information belonging to licensed players registered through clubs across the country.
The FFF detected the unauthorized access and immediately disabled the compromised account while resetting all user passwords across the system, though threat actors had already exfiltrated member databases before detection.
The breach exposed names, gender, dates and places of birth, nationality, postal addresses, email addresses, telephone numbers, and license numbers. The federation claimed the intrusion and exfiltration remained limited to these data categories, with no financial information or passwords compromised in the incident.
According to the federation, which has over two million members, many of whom are minors, the breached data includes personally identifiable information that could be leveraged for phishing attacks. The FFF reported a record number of over 2.3 million football license holders in the country for the 2023-2024 season, according to the latest publicly available figures.
Second Attack in Two Years
This marks the third time in two years that the French Football Federation has suffered a cyberattack, with a March 2024 incident potentially exposing 1.5 million member records according to prosecutors. The pattern demonstrates persistent targeting of French sports organizations.
Cybersecurity researchers verified 18 months ago that a sample of FFF player details had been published on a well-known data leak forum, suggesting previous successful intrusions may have gone undetected.
The federation filed a criminal complaint and notified France’s National Cybersecurity Agency ANSSI and data protection authority CNIL as required under European regulations. The FFF will directly contact individuals whose email addresses appear in the compromised database.
Phishing Campaign Warnings
Federation officials warned members to exercise extreme vigilance regarding suspicious communications appearing to originate from the FFF or local clubs. Threat actors commonly leverage stolen personally identifiable information to craft convincing phishing messages requesting that recipients open attachments, provide account credentials, passwords, or banking information.
Security experts note that smaller clubs and societies sometimes consider themselves insufficiently interesting for criminals to target, but this incident demonstrates how deeply everyday life depends on centralized platforms vulnerable to credential compromise.
The federation stressed upon its commitment to protecting entrusted data while acknowledging that numerous organizations face increasing numbers and evolving forms of cyberattacks. “The FFF is committed to protecting all the data entrusted to it and continually strengthens and adapts its security measures in order to face, like many other organizations, the growing variety and new forms of cyber-attacks,” the statement said.
The reliance on a single centralized administrative platform across all French football clubs created a high-value target where credential compromise granted attackers access to member records from thousands of clubs simultaneously.