Executive Summary

On February 23, 2026, Olympique Marseille became the subject of a public cyberattack claim, with a hacker alleging possession and intent to sell a database containing information on approximately 400,000 supporters. The club responded promptly, issuing an official statement on February 24, 2026, confirming an attempted cyber intrusion but disputing the scale of the breach. Olympique Marseille emphasized that no banking data or passwords were compromised and reassured supporters regarding the potential consequences. The club resolved a technical website glitch associated with the incident and filed a formal complaint with France’s National Commission for Informatics and Liberties (CNIL). Investigations are ongoing, and the club continues to monitor its systems. No technical details about the attack vector or exploited vulnerabilities have been disclosed. The incident underscores the increasing targeting of sports organizations by cybercriminals and highlights the importance of transparent communication and regulatory compliance in the aftermath of cyber incidents. All information in this summary is based on official statements and verified media reports as of February 25, 2026. [https://ground.news/article/olympique-de-marseille-om-has-officially-issued-a-statement-following-a-cyberattack] [https://onefootball.com/de/news/marseille-reassure-fans-after-cyberattack-bank-data-and-passwords-unaffected-42462770] [https://m.elbotola.com/en/article/2026-02-25-01-10-436.html]

Technical Information

The Olympique Marseille incident involved an attempted cyber intrusion targeting the club’s official website. The initial public disclosure came from cybersecurity specialist Clément "SaxX" Domingo, who reported on social media that a cybercriminal was offering a database for sale, allegedly containing information on 400,000 club members and fans. Olympique Marseille’s official response categorically disputed the magnitude of the breach, stating that the figures were greatly exaggerated and, critically, that no banking data or passwords were exposed.

No technical indicators of compromise (IoCs), such as malware samples, exploit details, or forensic artifacts, have been released by Olympique Marseille or cited in any primary sources as of February 25, 2026. The club’s technical teams, supported by specialist providers, responded rapidly to contain the incident and restore website services. The technical glitch affecting the website was resolved, and operations continued as normal.

Based on the incident narrative and sector trends, the attack pattern is consistent with web application attacks targeting data exfiltration, such as SQL injection or exploitation of web vulnerabilities. However, there is no direct evidence confirming the specific attack vector. The rapid restoration of website services and the club’s emphasis on the non-compromise of sensitive data suggest that the attack may have targeted non-critical user data, possibly via a web application vulnerability or credential stuffing. This assessment is made with low confidence due to the absence of technical artifacts.

No malware, hacking tools, or exploit kits have been identified or reported in connection with this incident. The claim of a database for sale is typical of breaches involving SQL injection (MITRE ATT&CK T1190: Exploit Public-Facing Application) or credential compromise (T1078: Valid Accounts), but this remains speculative in the absence of technical evidence.

No attribution to a specific threat actor or group has been made by the club or authorities. No technical indicators such as IP addresses or malware hashes have been published. The incident matches common cybercriminal tactics targeting sports organizations for data theft and extortion, but no unique tactics, techniques, or procedures (TTPs) or actor signatures are present.

The club’s immediate filing of a complaint with the CNIL demonstrates compliance with regulatory requirements for personal data protection in the European Union. Olympique Marseille continues to monitor its systems and has initiated in-depth investigations to ensure the security of its digital platforms and protect fan privacy.

Affected Versions & Timeline

The incident timeline is as follows: On February 23, 2026, cybersecurity specialist Clément "SaxX" Domingo reported the hacker’s claim of possessing and selling a supporter database. On February 24, 2026, Olympique Marseille issued an official statement confirming an attempted cyber intrusion and disputing the scale of the breach. The club reassured supporters that no banking data or passwords were compromised. By February 25, 2026, the technical glitch affecting the website had been resolved, and the club confirmed that services had returned to normal. The club filed a formal complaint with the CNIL and continues to investigate the incident. [https://ground.news/article/olympique-de-marseille-om-has-officially-issued-a-statement-following-a-cyberattack] [https://onefootball.com/de/news/marseille-reassure-fans-after-cyberattack-bank-data-and-passwords-unaffected-42462770] [https://m.elbotola.com/en/article/2026-02-25-01-10-436.html]

No specific software versions, platforms, or products have been identified as affected, as no technical details about the exploited vulnerabilities have been disclosed.

Threat Activity

The threat activity in this incident centers on an attempted intrusion into Olympique Marseille’s website, followed by a hacker’s claim to possess and sell a large supporter database. The club’s official statements and media reports indicate that the figures cited by the hacker were greatly exaggerated and that no sensitive data such as banking information or passwords were compromised.

The pattern of activity is consistent with cybercriminal tactics targeting sports organizations for data theft and extortion. The attempted sale of supporter data aligns with previous attacks on sports clubs, where personal data is leveraged for financial gain or reputational damage. However, no direct evidence links this attack to a broader campaign or sector-specific threat actor.

No technical details about the attack vector, malware, or tools have been disclosed. The most likely MITRE ATT&CK techniques, based on incident pattern and sector trends, are T1190 (Exploit Public-Facing Application) and T1078 (Valid Accounts), but this is speculative and supported only by circumstantial evidence. No evidence of ransomware, destructive malware, or advanced persistent threat (APT) activity has been reported.

Olympique Marseille’s response included rapid mobilization of technical teams, restoration of website services, and communication with supporters to reinforce good digital hygiene practices, such as strengthening passwords and being vigilant for phishing attempts.

Mitigation & Workarounds

Based on the available information, the following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations in the sports sector and other high-profile targets should ensure that all public-facing web applications are regularly tested for vulnerabilities, including SQL injection and authentication weaknesses. Immediate patching and hardening of web infrastructure are essential to prevent similar incidents.

High: Implement multi-factor authentication (MFA) for all administrative access to web platforms and databases. Regularly review and update access controls to minimize the risk of credential compromise.

Medium: Conduct regular security awareness training for staff and users, emphasizing the importance of strong, unique passwords and vigilance against phishing attempts. Monitor for signs of credential stuffing and brute-force attacks.

Low: Maintain transparent communication with stakeholders and regulatory bodies in the event of a cyber incident. Ensure that incident response plans are up to date and tested regularly.

Olympique Marseille’s actions—rapid incident containment, regulatory notification, and public communication—are consistent with best practices for incident response and data protection. Organizations should review their own incident response and data protection procedures in light of this incident.

References

https://ground.news/article/olympique-de-marseille-om-has-officially-issued-a-statement-following-a-cyberattack (Feb 24, 2026)

https://onefootball.com/de/news/marseille-reassure-fans-after-cyberattack-bank-data-and-passwords-unaffected-42462770 (Feb 24, 2026)

https://m.elbotola.com/en/article/2026-02-25-01-10-436.html (Feb 25, 2026)

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their digital supply chain. Our platform enables continuous monitoring of vendor security posture, automated risk assessments, and actionable insights to support incident response and regulatory compliance. For questions regarding this report or to discuss how Rescana can support your organization’s risk management needs, please contact us at ops@rescana.com.