Skip to content
Support
Sign In Subscribe
Data Breaches

French Basketball Federation Breached, 1.9 Million Members and 800K Parents Exposed With Addresses, Medical Certificates, and Minor Data

 and  Dark Web Informer
10 min read
Dark Web Informer - Cyber Threat Intelligence

French Basketball Federation Breached, 1.9 Million Members and 800K Parents Exposed With Addresses, Medical Certificates, and Minor Data

April 17, 2026 - 6:46:08 PM UTC
France
Sports / Recreation
Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more.
View API
Unlock Exclusive Cyber Threat Intelligence
Powered by DarkWebInformer.com
Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously.
Subscribe Now

Quick Facts

Date & Time 2026-04-17 18:46:08 UTC
Threat Actor HexDex
Victim French Basketball Federation (FFBB)
Industry Sports / Recreation
Category Data Breach
Total Members 1,926,409
Parent Records ~800,000
Unique Emails 1,444,527
Unique Phones 1,513,270
Unique Addresses 1,926,409
Price Make Offer
Country France

Incident Overview

HexDex, a prolific threat actor previously responsible for the Therapeutes, Airsoft-Entrepot, and Allopneus breaches targeting French organizations, is now selling the personal data of 1,926,409 members and approximately 800,000 parents from the Federation Francaise de Basket-Ball (FFBB), the governing body for basketball in France. The total dataset covers roughly 2.7 million individuals and includes a 5,000-line sample distributed across six file hosting services.


The dataset statistics show significant deduplicated contact volumes: 1,444,527 unique member emails, 1,513,270 unique member phones, 468,306 unique landlines, 511,120 unique mother phone numbers, 538,890 unique mother emails, 271,121 unique father phone numbers, and 91,955 unique father emails. Each member record contains an extensive set of fields:

  • Personal Identity: Full names, first names, dates of birth, place of birth, gender, and nationality.
  • Contact and Address: Personal phone numbers, home/landline numbers, email addresses, full street addresses with complement details (apartment floor, building), postal codes, and commune names.
  • Federation Data: Licence numbers, qualification dates, player category codes (U19, U20, Senior), league/division classifications, regional league identifiers (IDF, ARA, BRE, CVL), and club affiliations with organization names and codes.
  • Medical Information: Medical certificate dates and medical certificate expiration dates, which confirm whether a player has a current health clearance to compete.
  • Physical Data: Height measurements in meters for individual players.
  • Club and Organization: Club SIRET numbers (French business registration), club organization codes, prefecture registration numbers, and club names.
  • Consent and Authorization: FFBB offer authorization status, partner authorization status, and engagement charter flags.
  • Parent Data: For minor players, the dataset includes mother and father email addresses, phone numbers, and contact details as separate fields.

The child safety dimension of this breach is critical. The sample data shows records for individuals born in 2003, 2004, 2005, and 2007, many in the U19 and U20 categories. For these minor and recently-adult players, the database exposes not only their personal information but also their parents' contact details, their home addresses, their club locations, and their physical height. The medical certificate data adds a health information dimension that may trigger additional GDPR and French health data protection requirements.

Compromised Data Categories

Full Names & Dates of Birth Home Addresses Personal & Home Phone Numbers Email Addresses Licence Numbers Medical Certificate Dates Height / Physical Data Nationality Club Affiliations & SIRET Numbers Player Categories & Divisions Prefecture Registration Numbers Parent Contact Details (~800K) Minor Player Records

Image Preview

Forum post by HexDex selling 1.9 million FFBB member records and 800K parent records with FFBB logo, contact statistics, and proof links Sample JSON records showing detailed member profiles with addresses, licence numbers, medical certificates, club details, and parent contact information for minor players Additional sample records, 5K line sample download links across six file hosts, qTox and Session contact details, and link to actor's full data sales listing

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.
Subscribe
Subscriber Access View the original listing URL and unredacted claim images on the feeds below.
Threat Feed Ransomware Feed

MITRE ATT&CK Mapping

T1190 Exploit Public-Facing Application
Targets the French Basketball Federation's web infrastructure to access member databases containing nearly 2 million player records and 800,000 parent records.
T1213 Data from Information Repositories
Extracts the complete federation membership database including personal details, licence data, medical certificates, club affiliations, and family contact information.
T1589.002 Gather Victim Identity: Email Addresses
Harvests 1.4 million unique member emails, 538,890 mother emails, and 91,955 father emails alongside verified phone numbers for targeted phishing and social engineering.
T1567 Exfiltration Over Web Service
Distributes a 5,000-line sample across six file hosting services and offers the full dataset via qTox and Session messaging for buyer negotiations.

Dark Web Informer © 2026 | Cyber Threat Intelligence
DarkWebInformer.com

Related

Latest