French Football Federation faces own-goal after club software data breach
(2025/12/01)
- Reference: 1764589263
- News link: https://www.theregister.co.uk/2025/12/01/french_football_federation_breach/
- Source link:
The French Football Federation (FFF) has conceded that attackers broke into its member management software using a compromised account, scoring a match sheet's worth of player data in the process.
The FFF, French football's national governing body, is the outfit that organizes everything from Sunday league pitch markings to World Cup campaigns, handling licensing, regulation, coaching programs, club financing, and France's seat at FIFA and UEFA's top tables. In short, if French football has strings, the FFF usually pulls them.
According to [1]a statement from the FFF published on Monday, the intrusion was spotted via an unauthorized login traced to a compromised account. The FFF said it immediately disabled the rogue account and reset passwords for every user on the platform, applying the infosec equivalent of subbing off the entire squad for a fresh line-up. The federation also secured the software and underlying data to block any further lateral plays by the intruders, temporarily disrupting access but keeping the incident from escalating.
[2]Manchester United working with infosec experts to 'minimize ongoing IT disruption' caused by 'cyber attack'
[3]French parliament says oui to AI surveillance for 2024 Paris Olympics
[4]Leeds United kick card swipers into Row Z after 5-day cyberattack
[5]Back of the net? Google's DeepMind is coming for football tactics
The stolen data included first and last names, gender, date and place of birth, nationality, postal address, email address, phone number, and license number, the federation said. No banking information or national identity numbers were involved. The FFF didn't disclose how many individuals were affected, but the federation has more than 2.2 million members across approximately 18,000 clubs, [6]according to its own data.
The FFF has filed a criminal complaint and has formally informed France's cybersecurity agency, ANSSI, and the data protection watchdog, CNIL. It also says it's lacing up its security boots after the breach "to cope, like many other actors, with the increasing number and new forms of cyberattacks."
[7]
It will notify individuals whose email addresses appear in the stolen database, and urged extreme caution around messages claiming to be from the FFF, associated clubs, or any sender invoking federation business – particularly those pushing attachments, credential resets, or demands for passwords or financial information.
[8]
The warning reads a bit like the FFF telling supporters not to hand cash to a bloke selling knock-off tickets from a hatchback, but the advice is sound: treat anything unexpected with suspicion, especially if it smells more of fifth division than first. ®
Get our [9]Tech Resources
[1] https://www.fff.fr/article/15831-communique-du-26-novembre-relatif-au-vol-de-donnees.html
[2] https://www.theregister.com/2020/11/21/manchester_united_working_with_infosec/
[3] https://www.theregister.com/2023/03/24/al_surveillance_french/
[4] https://www.theregister.com/2025/03/05/leeds_united_card_swipers/
[5] https://www.theregister.com/2024/03/20/googles_deepmind_football/
[6] https://uk.fff.fr/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aS3JrPBnWm1d8QJnJTJxIQAAAJQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS3JrPBnWm1d8QJnJTJxIQAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://whitepapers.theregister.com/
The FFF, French football's national governing body, is the outfit that organizes everything from Sunday league pitch markings to World Cup campaigns, handling licensing, regulation, coaching programs, club financing, and France's seat at FIFA and UEFA's top tables. In short, if French football has strings, the FFF usually pulls them.
According to [1]a statement from the FFF published on Monday, the intrusion was spotted via an unauthorized login traced to a compromised account. The FFF said it immediately disabled the rogue account and reset passwords for every user on the platform, applying the infosec equivalent of subbing off the entire squad for a fresh line-up. The federation also secured the software and underlying data to block any further lateral plays by the intruders, temporarily disrupting access but keeping the incident from escalating.
[2]Manchester United working with infosec experts to 'minimize ongoing IT disruption' caused by 'cyber attack'
[3]French parliament says oui to AI surveillance for 2024 Paris Olympics
[4]Leeds United kick card swipers into Row Z after 5-day cyberattack
[5]Back of the net? Google's DeepMind is coming for football tactics
The stolen data included first and last names, gender, date and place of birth, nationality, postal address, email address, phone number, and license number, the federation said. No banking information or national identity numbers were involved. The FFF didn't disclose how many individuals were affected, but the federation has more than 2.2 million members across approximately 18,000 clubs, [6]according to its own data.
The FFF has filed a criminal complaint and has formally informed France's cybersecurity agency, ANSSI, and the data protection watchdog, CNIL. It also says it's lacing up its security boots after the breach "to cope, like many other actors, with the increasing number and new forms of cyberattacks."
[7]
It will notify individuals whose email addresses appear in the stolen database, and urged extreme caution around messages claiming to be from the FFF, associated clubs, or any sender invoking federation business – particularly those pushing attachments, credential resets, or demands for passwords or financial information.
[8]
The warning reads a bit like the FFF telling supporters not to hand cash to a bloke selling knock-off tickets from a hatchback, but the advice is sound: treat anything unexpected with suspicion, especially if it smells more of fifth division than first. ®
Get our [9]Tech Resources
[1] https://www.fff.fr/article/15831-communique-du-26-novembre-relatif-au-vol-de-donnees.html
[2] https://www.theregister.com/2020/11/21/manchester_united_working_with_infosec/
[3] https://www.theregister.com/2023/03/24/al_surveillance_french/
[4] https://www.theregister.com/2025/03/05/leeds_united_card_swipers/
[5] https://www.theregister.com/2024/03/20/googles_deepmind_football/
[6] https://uk.fff.fr/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aS3JrPBnWm1d8QJnJTJxIQAAAJQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS3JrPBnWm1d8QJnJTJxIQAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://whitepapers.theregister.com/