Pass'Sport Breach: 6.4M Accounts Exposed

Overview

In December 2025, data from France’s Pass’Sport program - a government initiative providing a 50-euro sports subsidy for children - was posted to a popular hacking forum. The breach exposed 6,366,133 unique email addresses linked to approximately 3.5 million households. Initially misattributed to CAF (the French family allowance fund), the data was confirmed to originate from the Pass’Sport system, which manages enrollment and subsidy distribution.

The exposed dataset includes not just email addresses but also names, phone numbers, physical addresses, and genders. This is a highly sensitive leak because it combines multiple identity markers, making the information valuable for targeted scams, identity theft, and social engineering attacks.

What Was Exposed

The compromised data includes:

• Email addresses - 6.3M unique emails, enabling credential-stuffing and phishing attacks.
• Names - full names tied to households.
• Phone numbers - direct contact information for SMS-based scams.
• Physical addresses - home addresses, which can be used for targeted mail fraud or physical threats.
• Genders - a less sensitive attribute but useful for building detailed profiles.

For the 3.5 million households affected, this combination of personally identifiable information (PII) is a goldmine for fraudsters. Unlike a simple email-and-password dump, this breach gives attackers everything they need to impersonate victims convincingly.

How the Breach Happened

The exact attack vector has not been disclosed by Pass’Sport or the French government. However, the data being posted to a hacking forum suggests either a compromised API endpoint, an insider leak, or a vulnerability in the enrollment portal. The misattribution to CAF indicates the data may have been shared or federated across government databases, creating a wider attack surface.

No specific CVE has been associated with this breach at the time of writing.

Who’s Actually Affected

The breach directly impacts French families who enrolled in the Pass’Sport program - primarily households with children aged 6 to 18. However, because the data includes names and addresses linked to parents or guardians, the exposure extends to any adult who submitted their details during the application process.

Given the program’s government backing, affected individuals may not have expected their personal data to be vulnerable. This breach underscores a broader pattern in cybersecurity news: government-administered benefit programs are increasingly targeted due to the high volume of PII they hold.

Identity Theft Risks

The combination of names, addresses, phone numbers, and email addresses is a near-complete profile for identity theft. Attackers can:

• Use the data to apply for credit, loans, or government benefits in victims’ names.
• Launch targeted phishing campaigns that reference real lifecycle events (e.g., “Your child’s sports subsidy is expiring”).
• Combine with other breached data (e.g., from CAF or other French agencies) to build even richer dossiers.

French residents should be especially vigilant about unsolicited calls, texts, or emails referencing Pass’Sport.

What to Do Right Now

If you or your family enrolled in the Pass’Sport program, take these steps immediately:

1. Check if you’re affected - Visit Have I Been Pwned and search your email address.
2. Enable multi-factor authentication (MFA) on all email and government account portals (e.g., FranceConnect, CAF, Ameli). This prevents credential-stuffing if your email is reused elsewhere.
3. Freeze your credit - Contact French credit bureaus (e.g., Banque de France) to place a fraud alert or credit freeze.
4. Monitor for phishing - Be suspicious of any email, SMS, or phone call that references Pass’Sport. Do not click links or provide additional personal information.
5. Change passwords - If you use the same password across multiple accounts, update them immediately. Use a password manager to generate unique, strong passwords.

How to Check If You’re Affected

The most reliable method is to search your email address on Have I Been Pwned. The site cross-references your email against the breached dataset and will display a notification if your address appears in the Pass’Sport dump.

There is currently no official lookup tool from the French government. If CAF or Pass’Sport contacts you by email or phone, verify the source independently before responding.

Security Insight

This breach reveals a troubling pattern: government benefit programs often treat personal data as a single, shareable resource across agencies, which multiplies the blast radius when a single system is compromised. The misattribution to CAF suggests data federation practices that lack proper access controls and monitoring. For a program handling millions of families’ sensitive information, the absence of disclosed breach timelines or attacker attribution raises concerns about incident response readiness.

Further Reading

• All High Breaches
• Recent Data Breaches