CAF Hacked 2024: 600,000 French Welfare Recipients Exposed
"Your family allowances, your RSA, your housing benefits... and all the personal data that comes with them: exposed on the dark web. 600,000 French citizens affected."
Table of Contents
- What Happened
- What Data Was Stolen?
- The Concrete Risks
- Who Is Affected?
- The CAF's Response
- Liability and Legal Remedies
- How to Protect Yourself
- The Context: CAF, One Case Among Many
- FAQ
- Conclusion: Take Your Security Into Your Own Hands
- Sources
In February 2024, a group of hackers claimed to have stolen data from 600,000 CAF accounts (Caisse d'Allocations Familiales — the French Family Allowance Fund). Names, addresses, family situations, income, benefits received... ultra-sensitive information ended up in cybercriminals' hands.
The CAF initially denied it before gradually acknowledging the incident. This hack reveals just how poorly the social data of French citizens — among the most sensitive there is — is protected.
This article reviews what we know, the risks for beneficiaries, and the steps to take.
What Happened
February 2024: hackers steal the data of 600,000 French welfare recipients.
Timeline of the Attack
| Date | Event |
|---|---|
| Early February 2024 | First signs of intrusion detected |
| February 12, 2024 | A hacker group claims the breach |
| February 13, 2024 | The CAF initially denies it |
| February 14, 2024 | Partial confirmation of the incident |
| February 2024 | Notification of affected individuals |
| March 2024 | CNIL investigation opened |
The Attack Scenario
According to available information, the hackers used credential stuffing:
- Retrieval of lists of emails and passwords from previous data breaches
- Automated testing of these credentials on caf.fr
- Successful access for accounts using reused passwords
- Extraction of personal data from compromised accounts
"This is not a technical flaw in the CAF per se. The hackers exploited users' poor password hygiene. But the CAF should have had protections against this type of attack."
— Cybersecurity expert, BFM Tech
Confirmed Scale
| Indicator | Figure |
|---|---|
| Compromised accounts | ~600,000 |
| Total CAF beneficiaries | ~14 million |
| Proportion affected | ~4.3% |
Source: CNIL - CAF Data Breach
What Data Was Stolen?
Your income, family situation, benefits: a complete X-ray of your life.
Exposed Data
The CAF collects enormous amounts of information on its beneficiaries. During this hack, the following data was potentially exposed:
| Data Type | Exposed | Risk Level |
|---|---|---|
| Full name | Yes | High |
| Postal address | Yes | High |
| Yes | High (phishing) | |
| Phone number | Yes | High (scams) |
| Date of birth | Yes | High |
| Family situation | Yes | Sensitive |
| Household composition | Yes | Sensitive |
| Declared income | Yes | Very sensitive |
| Benefits received | Yes | Very sensitive |
| Benefit amounts | Yes | Very sensitive |
| Bank details (IBAN) | Possible | Critical if exposed |
What This Data Reveals
A complete CAF profile provides a full X-ray of your life:
Financial situation:
- Household income
- Level of financial hardship
- Dependence on welfare
Family situation:
- Number of children
- Marital status
- Potential disability in the household
Housing situation:
- Type of housing
- Rent amount (for housing benefits)
- Precise address
This information is exceptionally sensitive because it reveals people's vulnerabilities.
The Concrete Risks
Scammers now know your real situation and your actual benefit amounts.
1. Ultra-Targeted "CAF" Phishing
With your data, scammers can create perfectly credible messages:
Example of a fraudulent post-breach SMS:
*"CAF: Your housing benefit of EUR287 will be paid on 03/05 to account ***1234. To speed up the payment, confirm your bank details: [link]"
This message is terrifyingly credible because it mentions:
- The real amount of your housing benefit
- The last 4 digits of your account (extracted from your data)
- A plausible date
2. Benefit Fraud
A criminal with your data can:
Change your bank details:
- Modify the payment IBAN
- Redirect your benefits to another account
Apply for benefits in your name:
- Fraudulent change of situation declarations
- Applications for new benefits
Impersonate you to the CAF:
- Call customer service pretending to be you
- Obtain additional information
3. Targeting Vulnerable People
CAF data allows identification of:
- Single-parent families
- People with disabilities (AAH — disability benefit)
- People in severe financial hardship (RSA — minimum income)
- Dependent elderly people
These profiles are prime targets for scams because:
- More psychologically vulnerable
- Often less digitally literate
- Financially dependent on their benefits
4. The Fake CAF Agent Scam
Classic post-breach scenario:
- Phone call from a "CAF agent"
- They know your name, address, situation, amounts
- They announce a "payment problem"
- They ask you to "confirm your bank details" to resolve it
- You give your banking information → scam
"Since the breach, we have seen an explosion of fraudulent calls impersonating the CAF. The scammers have all the information to be credible."
— Victim assistance organization
Who Is Affected?
Reused passwords, accounts without 2FA: the profiles targeted by the attack.
The Victim Profile
The 600,000 compromised accounts are not random. They are primarily accounts whose users:
- Reused their password
- Used a weak password (date of birth, first name, etc.)
- Had not enabled 2FA (two-factor authentication)
How to Know If You Are Affected
1. CAF Notification
The CAF notified affected individuals by email. Check:
- Your primary inbox
- Your spam folder
- The email associated with your CAF account
2. Contact the CAF
You can contact your local CAF for confirmation:
- By phone: the number on caf.fr
- By mail
- Via the secure messaging system in your account
3. Check Your Account Logins
Log into your CAF account and check:
- Login history
- Recent data modifications
- The registered bank details
The CAF's Response
Between initial denial and belated acknowledgment, the CAF struggled to manage the crisis.
Official Communication
The CAF:
- Confirmed the incident after an initial denial
- Notified affected individuals
- Reported the incident to the CNIL
- Strengthened (according to them) security measures
What Raises Questions
The initial denial:
- Why did the CAF first deny the attack?
- What is the true scale?
Protection measures:
- Why was massive credential stuffing not detected?
- Why was 2FA not mandatory?
- Were sensitive accounts protected?
The notification:
- Were all affected individuals actually notified?
- Was the notification delay GDPR-compliant?
Liability and Legal Remedies
The GDPR imposes strict obligations: did the CAF comply?
The CAF's GDPR Obligations
As a data controller, the CAF must:
-
Secure data (Article 32)
- Appropriate technical and organizational measures
- Protection against unauthorized access
-
Notify breaches (Article 33)
- CNIL within 72 hours
- Affected individuals if high risk
-
Document incidents (Article 33)
- Nature of the breach
- Measures taken
The CNIL Investigation
The CNIL opened an investigation to examine:
- Security measures in place before the attack
- Responsiveness of notification
- Overall GDPR compliance
Possible sanctions:
- Formal notice
- Fine (up to EUR20 million or 4% of "revenue")
- Enforcement order
Your Legal Remedies
File a complaint with the CNIL:
- Online form at cnil.fr
- Free of charge
- Can lead to sanctions against the organization
File a police report:
- If you suffer actual harm (scam, identity theft)
- Keep all evidence
Join a class action:
- Several organizations are launching proceedings
- UFC-Que Choisir is following the case
Individual action:
- Claim for damages
- Before the judicial court
How to Protect Yourself
Strong passwords, 2FA enabled, maximum vigilance: your line of defense.
Immediate Actions
1. Change your CAF password
- Unique password (never used elsewhere)
- Long and complex (12+ characters)
- Use a password manager
2. Enable two-factor authentication
- If available on caf.fr
- Via SMS or app
3. Check your account
- Registered bank details (are they yours?)
- Recent modifications
- Login history
4. Monitor your benefits
- Check amounts paid
- Verify the destination account
- Report any anomaly
Enhanced Vigilance
Absolute caution with contacts:
- The CAF will never ask for your password
- The CAF will never ask for your bank details by phone/SMS
- When in doubt, hang up and call the official number
Bank monitoring:
- Enable alerts on your account
- Check direct debits regularly
- Report any suspicious activity
Long-Term Protection
| Action | Priority |
|---|---|
| Password manager | Immediate |
| 2FA on all accounts | Immediate |
| Secure email (ProtonMail) | Important |
| VPN (ProtonVPN, Mullvad) | Important |
Complete guide: How to Protect Your Personal Data
The Context: CAF, One Case Among Many
French public services: a series of cyberattacks in 2024.
Public Service Breaches in 2024
The CAF is not an isolated case. French public services keep accumulating incidents:
| Service | Date | People Affected |
|---|---|---|
| France Travail | March 2024 | 43 million |
| CAF | February 2024 | 600,000 |
| Hospitals (various) | 2022-2024 | Millions |
| Police files | 2024 | 19 million on file |
Full overview: France, Digital Sieve
Why Public Services Are Vulnerable
- Underinvestment in cybersecurity
- Outdated systems (sometimes 10-20 years old)
- Insufficient training of personnel
- Priority on functionality over security
- Administrative complexity slowing updates
FAQ
How do I know if I am among the 600,000 victims?
The CAF was supposed to notify all affected individuals by email. If you have not received anything, you are probably not directly affected. However, you can contact your CAF for confirmation.
Should I change my password even if I was not notified?
Yes, it is good practice. Take the opportunity to use a unique password and enable 2FA if available.
Will the CAF compensate me?
Not automatically. However, if you suffer demonstrable harm (scam, identity theft), you can take legal action. Class actions are being prepared.
Are my benefits at risk?
If your account was compromised, a criminal could theoretically modify your bank details to redirect payments. Regularly check that the registered IBAN is yours.
I am receiving calls from the "CAF" — how do I know if it is real?
- The real CAF will never ask for sensitive data by phone
- Never give your password, bank details, or card number
- Hang up and call the official number (on caf.fr)
Is this hack related to France Travail?
Not directly — these are two separate incidents. However, if you are affected by both, criminals can cross-reference the data for an even more complete profile.
Conclusion: Take Your Security Into Your Own Hands
The CAF hack illustrates a worrying reality: the organizations meant to protect the most vulnerable are themselves vulnerable.
Key takeaways:
- 600,000 beneficiaries had their data exposed
- CAF data is ultra-sensitive (income, family situation, vulnerabilities)
- Phishing will be credible because scammers have real information
- The State is not protecting you — take measures yourself
Trust in institutions is eroding. Faced with this failure, the only response is to strengthen your own digital security: unique passwords, two-factor authentication, maximum vigilance.
For a complete protection guide: How to Protect Your Personal Data.
Related Articles — Cybersecurity & Data Protection
- Telecom Operators Hacked: SFR, Free, Orange
- Protect Your Personal Data: France Guide
- France Travail Hacked: 43 Million Records Stolen
- Viamedis Almerys Health Insurance Hack
- Hospital Cyberattacks in France: Ransomware