Have I Been Pwned (HIBP) has added the December 2025 data breach of France's Pass'Sport program to its database, making 6.4 million compromised accounts searchable and notifying impacted individuals.
The leak, initially misattributed to the French family benefits agency CAF, was later confirmed by the Ministry of Sports as originating from one of its own systems.
The breach came to light when a 15 GB file containing 22 million data entries was posted to a prominent criminal forum in mid-December. The dataset included names, email addresses, phone numbers, physical addresses, genders, and in some cases, dates of birth. Upon de-duplication, experts determined that approximately 3.5 million unique households were affected.
The Ministry of Sports, Youth, and Community Life officially acknowledged the incident in a press release on December 19, confirming that an exfiltration had occurred through one of its information systems. Following the discovery, its internal technical teams were mobilized to contain the leak, assess the scope, and implement defensive measures. A formal complaint was filed with law enforcement, and France’s data protection authority, CNIL, was notified within the required 72-hour timeframe.
The Pass'Sport program is a national initiative providing a €50 annual subsidy to youth for sports participation. Administered in collaboration with agencies like CAF, MSA (for agricultural workers), and CNOUS (for students), the system relies on interagency data sharing to determine eligibility. Cybersecurity expert Christophe Boutry confirmed that the breached file contained cross-agency data uniquely linked by identifiers such as “id_psp”, making the Pass'Sport backend the most likely source.
Initial media reports had attributed the breach to CAF, prompting a swift denial from the organization. In a public statement, the national agency clarified that its systems remained uncompromised and suggested the leak stemmed from a different public service partner. Forensic analysis later supported this, pointing to the aggregated nature of the leaked data and the unique identifiers tied to Pass'Sport rather than CAF itself.
HIBP added the Pass'Sport dataset to its breach index yesterday, allowing users to check if their email address is among those exposed. Affected individuals registered with HIBP’s breach alert service have been notified via email. Those are recommended to change passwords on any accounts using the exposed email address, enable two-factor authentication where possible, and be wary of phishing attempts referencing exposed data.
Leave a Reply