In January 2026, data from more than 90 million accounts was leaked in France. This unprecedented wave highlights the fragility of the regulations imposed on companies and administrations, as well as the consequences of centralizing personal data.
Data leaks reach a new record in France
In recent months, announcements and publications concerning new data leaks affecting thousands, even millions, of French citizens have multiplied on social media.
Although it is difficult to make an accurate comparison with leaks in previous years, as these are not always made public, it is clear that personal data leaks now affect millions of French citizens.
The data compiled by the monitoring site BonjourLaFuite allows us to quantify the scale of these leaks. According to this site, between January 1 and 31, 2026, more than 90 million accounts had their data leaked as a result of various security incidents.
These leaks can be caused by insufficient security in the databases of companies or organizations, allowing hackers to access them remotely. But the threat can also come from within, with several cases revealing that some malicious employees sell the data or profiles of targeted individuals to criminal networks.
A few recent examples illustrate the seriousness of the situation. In January, the restaurant chain O’Tacos was the victim of a leak involving 29 million customer profiles, Panorama Banques 2.3 million, the French Volleyball Federation around 1.2 million, and URSSAF nearly 12 million.
These leaks exposed data such as first and last names, email addresses, and sometimes even postal addresses, phone numbers, ID photos, IP addresses, etc.
These staggering figures alone are close to the total number of leaks recorded for the whole of 2025, estimated at around 100 million accounts.
France Travail was recently fined €5 million by the CNIL following a data leak in 2024 that exposed the personal information of 36.8 million people. This is an absurd situation, to say the least, where one public body is sanctioned by another, all financed by taxpayer money.
How do these data leaks put our lives at risk?
The increase in data leaks highlights the limitations of current anti-money laundering and counter-terrorist financing (AML/CTF) measures, particularly through know-your-customer (KYC) identity verification requirements.
By forcing exchange platforms and online services to store sensitive data (identities, addresses, balances, etc.), regulators have in fact created targets for criminals. When these databases are compromised, which is becoming increasingly frequent, the consequences go far beyond simple identity theft.
Since the beginning of 2025, there has been an alarming rise in “crypto-kidnappings,” where individuals identified by their digital assets are abducted and/or assaulted in order to extort their cryptocurrencies. Criminals sometimes even target family members.
Obviously, when data leaks affect elected officials, the reaction is immediate. Yaël Braun-Pivet, President of the National Assembly, referred the matter to the public prosecutor as soon as personal information concerning members of parliament and Assembly officials was published. This responsiveness contrasts with the usual inaction when millions of French citizens see their data exposed every month.
The disclosure of personal data concerning members of parliament and National Assembly officials is extremely serious.
I immediately referred the matter to the public prosecutor and reported it to Pharos so that these facts could be examined and the… pic.twitter.com/d2NBuvYs7i
— Yaël Braun-Pivet (@YaelBRAUNPIVET) February 3, 2026
The most absurd thing is that these KYC identification measures are ineffective against fraud, which is often carried out using stolen accounts or front men. What’s more, the economic and human cost incurred by regulated platforms far exceeds the fraudulent funds recovered by the authorities.
In this already worrying context, France has just passed a law prohibiting access to social networks for children under the age of 15. Presented as a child protection measure, it actually requires the systematic collection of all users’ identities, further increasing the attack surface in the event of a leak.
Rather than protecting citizens, these policies expose more sensitive data, creating digital time bombs, also known as “honey pots,” that attackers will have no trouble targeting.
