Pass'Sport Data Breach
Pass'Sport French Government Youth Sports Subsidy Program Breach (2025): 6.4 Million Household Contact Records Exposed :: Initially Misattributed to CAF
French government-backed sports subsidy program for youth participation.
Risk Interpretation
Exposure enables identity theft, benefits fraud, and government-themed phishing. Program participation may also reveal age, family status, or economic vulnerability.
Impact & Downstream Threats
The institutional impact has fallen primarily on the Ministry of Sports and on its supply chain of administrative subcontractors. Public reporting characterised the incident as another major weakness in the State's outsourcing chain for citizen data. The Ministry issued a statement acknowledging the breach, but the practical burden of customer notification fell to Pass'Sport beneficiaries discovering the issue through breach-tracking services and press coverage rather than direct outreach. There
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat Vectors
Breach Intelligence
Executive Summary
A data file from France's Pass'Sport youth sports subsidy program was published on a hacking forum in December 2025. The file was initially misattributed to CAF, the French family allowance fund, until security researchers identified that it cross-referenced beneficiaries from three separate French agencies, CAF, MSA, and CNOUS, in a combination only the Pass'Sport program would assemble. Each record carried a Pass'Sport-specific identifier (id_psp) confirming the attribution. The Ministry of Sports subsequently acknowledged the incident.\n\nThe published file reportedly contained around 22 million rows reflecting cumulative Pass'Sport activity from 2022 through 2025, with the same household appearing multiple times across years. After deduplication, the file covered approximately 3.5 million unique households, with around 6.4 to 6.5 million unique email addresses indexed by Have I Been Pwned. Compromised fields included names, email addresses, phone numbers, gender, and physical addresses. The longitudinal nature of the file allowed beneficiary records to be tracked across multiple years, with the data on minor beneficiaries gradually transitioning from parent-linked contact details to the young person's own contact details upon reaching adulthood.\n\nFor affected individuals, the practical risk is concentrated in targeted phishing and household-level impersonation. The combination of full name, address, phone, and gender is a strong base for fraudulent messages purporting to come from Pass'Sport, CAF, or affiliated sports clubs, particularly during the annual subsidy enrolment cycle. Young adults whose data appeared in the file face an additional risk because the historical record can be used to craft messages that reference their childhood sports participation. Affected households should treat unsolicited contact about Pass'Sport, sports-club registration, or government allowances with caution and verify any communication through the official pass.sports.gouv.fr channel.
About Pass'Sport
Pass'Sport is a French government-backed subsidy program designed to reduce the cost of sports participation for eligible young people, administered by the Ministry of Sports, Youth, and Community Life (Ministère des Sports, de la Jeunesse et de la Vie Associative). Eligible beneficiaries include minors and young adults whose households receive certain social allowances or who meet other income-based criteria. The program issues a financial allowance that can be used at affiliated sports clubs and associations across France. To administer the subsidy, the Ministry combines beneficiary data drawn from multiple government agencies including CAF (the family allowance fund), MSA (the agricultural social welfare fund), and CNOUS (the national student welfare body).
Why They Hold Your Data
Public subsidy and access programs collect beneficiary identity, contact information, eligibility records, household-linked details, and participation data tied to government funding and sports access workflows.
Recent Developments
The Ministry of Sports publicly acknowledged the December 2025 incident after data circulating on hacking forums was independently attributed to the Pass'Sport program. The leak was initially misattributed to CAF until French security researchers analysed the file structure and identified the cross-agency data combination as unique to Pass'Sport. The breach surfaced alongside a series of other French government-sector incidents in late 2025 and early 2026, including the French Football Federation, the French National Bank Account Registry, and the ANTS identity-document agency. French data-protection regulator CNIL has continued ongoing oversight of public-sector incidents.
Data Points Exposed
Exposure Categories
Canonical Fields
email_address, full_name, gender, phone_number, physical_address
Dark Web Verification
- Dataset containing ~6.4M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: Pass'Sport Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Pass'Sport
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam