High

Pass'Sport

In December 2025, data from France's Pass'Sport program was posted to a popular hacking forum . Initially misattributed to CAF (the French family allowance fund), the data contained 6.5M unique email addresses affecting 3.5M households. The data also included names, phone numbers, genders and physic...

Exposed data: Email Addresses Names Phone Numbers Physical Addresses Genders
Accounts Exposed 6,366,133
1K 100K 10M 1B+

Overview

In December 2025, a significant data breach impacted France’s Pass’Sport program, a government initiative to help fund youth sports activities. A database containing the sensitive information of millions of applicants was leaked and posted to a public hacking forum. The French Ministry of Sports has since acknowledged the incident. This breach is severe due to the highly personal nature of the exposed data, which can be used for targeted scams and identity theft.

What Was Exposed

The leaked database contains detailed personal information for over 6.3 million individual accounts, affecting approximately 3.5 million households. The specific data types exposed include:

  • Email Addresses
  • Full Names
  • Phone Numbers
  • Physical Addresses
  • Genders

This combination creates a comprehensive profile of an individual and their household.

Potential Impact

The exposure of this data poses a HIGH risk to affected individuals. With an email, name, and physical address, attackers can craft highly convincing phishing emails and smishing (SMS) texts that appear legitimate, increasing the chance you might click a malicious link. The inclusion of a phone number and home address dramatically raises the risk of targeted scams, including impersonation of government officials or financial institutions. Furthermore, this information is a treasure trove for identity theft, as it provides key details often used in security verification processes for other accounts.

Recommendations

If you applied for the Pass’Sport subsidy, you should take the following steps immediately:

  1. Be Extremely Vigilant with Communications: Treat any unsolicited email, text message, or phone call with heightened suspicion, especially if it references sports, government subsidies, or your personal details. Do not click on links or provide any further information. Verify communications directly through official government websites.
  2. Enable Strong Account Security: Use a unique, strong password for your email account associated with Pass’Sport. If you reuse this password elsewhere, change it on those other sites immediately. Enable two-factor authentication (2FA) on your email and any other important accounts (like banking) to add a critical extra layer of security.
  3. Monitor for Identity Fraud: Keep a close eye on your bank and credit card statements for any unauthorized transactions. Be cautious of unexpected mail regarding new accounts or credit checks, which could indicate attempted identity theft.

How to Check If You’re Affected

The breach has been added to the reputable data breach notification service “Have I Been Pwned.” To check if your email address was compromised in this incident:

  1. Go to https://haveibeenpwned.com
  2. Enter your email address in the search bar.
  3. Review the results. If your data was part of the Pass’Sport breach, it will be listed among any other breaches your email appears in.

If you are affected, follow the recommendations above to protect yourself.