French Basketball Federation Breached, 1.9 Million Members and 800K Parents Exposed With Addresses, Medical Certificates, and Minor Data
French Basketball Federation breached; 1.9M members and 800K parents' personal data exposed by HexDex.
Summary
The French Basketball Federation (FFBB) suffered a major data breach affecting 1.9 million members and approximately 800,000 parents, with threat actor HexDex now selling the compromised dataset on the dark web. The exposed data includes full names, dates of birth, home addresses, phone numbers, email addresses, licence numbers, medical certificate information, player physical measurements, and parent contact details for minors. The breach raises significant GDPR and French health data protection concerns, particularly given the exposure of sensitive information on underage athletes and their families.
Full text
Dark Web Informer - Cyber Threat Intelligence French Basketball Federation Breached, 1.9 Million Members and 800K Parents Exposed With Addresses, Medical Certificates, and Minor Data April 17, 2026 - 6:46:08 PM UTC France Sports / Recreation Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-04-17 18:46:08 UTC Threat Actor HexDex Victim French Basketball Federation (FFBB) Industry Sports / Recreation Category Data Breach Total Members 1,926,409 Parent Records ~800,000 Unique Emails 1,444,527 Unique Phones 1,513,270 Unique Addresses 1,926,409 Price Make Offer Country France Incident Overview HexDex, a prolific threat actor previously responsible for the Therapeutes, Airsoft-Entrepot, and Allopneus breaches targeting French organizations, is now selling the personal data of 1,926,409 members and approximately 800,000 parents from the Federation Francaise de Basket-Ball (FFBB), the governing body for basketball in France. The total dataset covers roughly 2.7 million individuals and includes a 5,000-line sample distributed across six file hosting services. The dataset statistics show significant deduplicated contact volumes: 1,444,527 unique member emails, 1,513,270 unique member phones, 468,306 unique landlines, 511,120 unique mother phone numbers, 538,890 unique mother emails, 271,121 unique father phone numbers, and 91,955 unique father emails. Each member record contains an extensive set of fields: Personal Identity: Full names, first names, dates of birth, place of birth, gender, and nationality. Contact and Address: Personal phone numbers, home/landline numbers, email addresses, full street addresses with complement details (apartment floor, building), postal codes, and commune names. Federation Data: Licence numbers, qualification dates, player category codes (U19, U20, Senior), league/division classifications, regional league identifiers (IDF, ARA, BRE, CVL), and club affiliations with organization names and codes. Medical Information: Medical certificate dates and medical certificate expiration dates, which confirm whether a player has a current health clearance to compete. Physical Data: Height measurements in meters for individual players. Club and Organization: Club SIRET numbers (French business registration), club organization codes, prefecture registration numbers, and club names. Consent and Authorization: FFBB offer authorization status, partner authorization status, and engagement charter flags. Parent Data: For minor players, the dataset includes mother and father email addresses, phone numbers, and contact details as separate fields. The child safety dimension of this breach is critical. The sample data shows records for individuals born in 2003, 2004, 2005, and 2007, many in the U19 and U20 categories. For these minor and recently-adult players, the database exposes not only their personal information but also their parents' contact details, their home addresses, their club locations, and their physical height. The medical certificate data adds a health information dimension that may trigger additional GDPR and French health data protection requirements. Compromised Data Categories Full Names & Dates of Birth Home Addresses Personal & Home Phone Numbers Email Addresses Licence Numbers Medical Certificate Dates Height / Physical Data Nationality Club Affiliations & SIRET Numbers Player Categories & Divisions Prefecture Registration Numbers Parent Contact Details (~800K) Minor Player Records Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1190 Exploit Public-Facing Application Targets the French Basketball Federation's web infrastructure to access member databases containing nearly 2 million player records and 800,000 parent records. T1213 Data from Information Repositories Extracts the complete federation membership database including personal details, licence data, medical certificates, club affiliations, and family contact information. T1589.002 Gather Victim Identity: Email Addresses Harvests 1.4 million unique member emails, 538,890 mother emails, and 91,955 father emails alongside verified phone numbers for targeted phishing and social engineering. T1567 Exfiltration Over Web Service Distributes a 5,000-line sample across six file hosting services and offers the full dataset via qTox and Session messaging for buyer negotiations. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com
Indicators of Compromise
- mitre_attack — T1190
- mitre_attack — T1213
- mitre_attack — T1589.002
- mitre_attack — T1567