ANTS Data Breach: 19 Million French Citizens Exposed by a « Really Stupid » Flaw

On April 15, 2026, the Agence Nationale des Titres Sécurisés (ANTS), rebranded France Titres in 2025, detected an intrusion on its ants.gouv.fr portal. Five days later, the French Ministry of the Interior officially confirmed the breach. According to official communications, nearly 12 million accounts are affected. According to the attacker themselves, who put the data up for sale on a cybercriminal forum, the real figure exceeds 19 million records.

That gap between institutional messaging and the technical reality is, by itself, the most telling symptom of this affair. Here is what we know, how the flaw was exploited, what it says about the state of application security in the French public administration, and what you can concretely do if you are affected.

What ANTS is (and why this matters)

ANTS (the Agence Nationale des Titres Sécurisés) is the single operator for all secure identity documents in France: national ID cards, passports, driving licences, vehicle registration certificates (carte grise), and residence permits. Created in 2007 and reporting to the Ministry of the Interior, it runs the ants.gouv.fr portal, which handles tens of millions of administrative procedures each year.

In other words: if you have applied for or renewed a French ID card, passport, driving licence, or carte grise online in recent years, you very likely have an account on this portal. And very likely, your data is in the leak.

Timeline

Date	Event
April 15, 2026	Incident detected by France Titres security teams
April 16, 2026	An actor using the alias breach3d claims the attack on a cybercriminal forum and lists the data for sale
April 20, 2026	The Ministry of the Interior publicly confirms the breach
April 21, 2026	The Ministry states that "nearly 12 million accounts may be affected"
Within 72 hours	Notification to CNIL (mandatory under GDPR) and ANSSI; criminal report filed with the Paris prosecutor

The technical flaw: an IDOR, in other words the ABCs

The vulnerability exploited is an IDOR (Insecure Direct Object Reference). This is a class of flaw that has been on the OWASP Top 10 for more than a decade and that every junior developer learns to avoid in their first weeks. The attacker themselves, in their communications, described the flaw as "really stupid".

IDOR, explained without jargon

Imagine a building with 19 million mailboxes, each labelled BOX-00000001, BOX-00000002, up to BOX-19000000. To collect your mail, you give the caretaker your box number. The caretaker hands over the contents of that box, without checking whether the box actually belongs to you.

That is, broadly, what happened on the ANTS portal.

IDOR, explained technically

The moncompte.ants.gouv.fr API used sequential (or predictable) numeric identifiers to access user profiles. A request like:

GET /api/v1/users/1234567/profile HTTP/1.1
Host: moncompte.ants.gouv.fr
Authorization: Bearer <attacker_user_token>

returned the profile of user 1234567, without verifying that the authentication token presented actually belonged to that user. The attacker simply needed to be logged in with their own (legitimate) account, then increment the number in the URL to sequentially enumerate every profile in the database: 1234568, 1234569, and so on.

Put another way: authentication worked (verifying that the user is logged in), but authorisation was not checked (verifying that the logged-in user has the right to access this particular resource). A script of a few dozen lines is enough to exfiltrate millions of records.

This authentication/authorisation distinction is the first lesson of any application security course. That it was missed on a government portal centralising the identity of tens of millions of citizens raises questions about code review processes, security audits, and more broadly about the security by design culture in French public IT procurement.

Exposed data

For each account, the following fields were exfiltrated:

• Login identifier
• Title (Mr/Mrs)
• First and last names
• Email address
• Date of birth
• Unique account identifier

And, for accounts where these fields were populated:

• Postal address
• Place of birth
• Phone number

What was not leaked (according to official communications)

• The documents themselves (ID card copies, proof of residence, ID photos) are said to not be included in the leak
• Passwords are not mentioned as compromised (the attack bypassed authentication; it did not steal credentials)
• ID card / passport / driving licence numbers are reportedly not in the batch either

These clarifications should be taken with a grain of salt: the technical investigation is ongoing, and institutional communications in the early days of an incident frequently underestimate the scope of the damage.

Are you affected?

Probably, if:

• You created an account on ants.gouv.fr or moncompte.ants.gouv.fr in recent years
• You completed an online procedure for an ID card, passport, driving licence, or vehicle registration via the portal
• You have a FranceConnect account linked to ANTS

At this stage, the administration has not yet set up an official verification portal allowing a user to know whether their specific account is in the leak. This is a notable gap in the incident response: GDPR Article 34 requires "clear and comprehensive" communication to affected individuals when the breach presents a high risk to their rights and freedoms.

Checking via Have I Been Pwned

Have I Been Pwned is the global reference service for checking whether an email address has been compromised in a known breach. It is maintained by Australian security researcher Troy Hunt and officially used by several governments, including the British government.

The page haveibeenpwned.com/breach/FrenchCitizens currently references a different incident: a September 2024 compilation of 28.4 million French email addresses aggregated from multiple prior breaches. The April 2026 ANTS breach is not yet indexed there at the time of writing.

If the attacker eventually publishes the data in clear, which happens very often weeks after a failed or partial sale, it will most likely be added to the Have I Been Pwned database. We recommend coming back to check this page regularly, as well as using the email lookup form on the site's homepage, in the weeks and months ahead.

What to do, concretely, right now

1. Harden your accounts

• Change your ANTS password if you have one, especially if it is reused elsewhere
• Enable two-factor authentication on FranceConnect (via the FranceConnect+ app)
• Change the password of the email address associated with your ANTS account if it is reused
• Use a password manager to generate unique passwords per service

2. Prepare for a wave of targeted phishing

With a name, email address, date of birth, and sometimes a postal address, attackers have everything needed to craft highly personalised phishing campaigns. In the coming weeks, expect to receive:

• Fake "Ministry of the Interior" emails asking you to "verify your information"
• Fake "ANTS" text messages inviting you to click a link to renew a document
• Calls from "civil servants" using your real information to build trust

Golden rule: no email, SMS, or phone call should lead you to enter a password or banking details. If in doubt, type ants.gouv.fr into your browser yourself and go through the official portal. Never via a link.

3. Monitor your identity

• Keep an eye on your bank statements in the coming months
• In case of confirmed identity theft, report it on the Perceval platform and file a police complaint
• Report any phishing email to signal-spam.fr and 33700 for SMS

4. Check Have I Been Pwned regularly

Sign up for Have I Been Pwned's free notification service: you will be automatically alerted by email if an address you own appears in a newly indexed breach. This is, today, the best passive protection available for an individual.

What this incident says about the state of public sector security

Beyond the ANTS case, several lessons emerge:

The secure by design paradox

Since 2009, France has had a national agency (the ANSSI) whose explicit role is to raise the security level of critical information systems, both public and private. It publishes demanding standards (RGS, SecNumCloud) and audits operators of vital importance. That a flaw as basic as an IDOR can persist on a portal exposing the identity of tens of millions of citizens suggests that application security is not treated with the same rigour as infrastructure security in public procurement.

Institutional messaging vs. reality

Early official communications spoke of "a few thousand users potentially affected". In five days, the number climbed to "nearly 12 million". The attacker claims 19 million. This staircase progression is a classic of incident response: underestimate in the first hours to avoid alarm, then adjust to reality. It degrades public trust and paradoxically penalises the users who would benefit most from being informed as early as possible.

The gap between obligations and sanctions

The GDPR provides for sanctions up to 4% of global turnover for a private company that has failed in its security obligations (Article 32). In the case of a public administration, the CNIL can impose fines up to €20 million. It remains to be seen whether the regulator will apply, to the State itself, the same firmness as to private actors. Historically, sanctions against administrations are rare and symbolic.

What we take away, as security professionals

The ANTS breach is not a sophisticated attack. It is not a Chinese APT, not an unknown zero-day, not a complex supply chain compromise. It is a textbook flaw, exploited by a lone actor, on a system centralising the identity of a third of the French population.

The question, then, is not: "how do we stop sophisticated attackers?". The question is: "why, in 2026, are the basics of application security still not applied on critical systems?". The answer probably comes down to three words: audit, review, culture. Independent security audit before production release. Systematic code review with a security lens. A team culture where security is not a separate department, but a pillar integrated into daily work.

That, incidentally, is what we practise at Evana. Our security audits cover precisely this type of vulnerability, and our development projects integrate security from the design phase. Not because it is fashionable. Because incidents like this one are preventable, provided the right decisions are made at the right time.

Sources

Official communications

• Ministry of the Interior confirms the breach (franceinfo)
• ANTS hit by massive cyberattack, up to 10 million accounts concerned (franceinfo)
• What we know about the ANTS data breach (franceinfo)

Technical analyses

• ANTS Hack: 19 million records exposed (Cybernews)
• French govt agency confirms breach as hacker offers to sell data (BleepingComputer)
• France's ANTS ID System website hit by cyberattack (SecurityAffairs)
• Piratage ANTS: 19 million French citizens exposed, GDPR analysis (RGPD Kit)
• ANTS France data leak: up to 12 million people affected (Connexion France)

Guidance and recommendations

• ANTS data leak: victim of a cyberattack, what to do? (Belhaouci Avocats)
• ANTS hack 2026: what the GDPR requires (Leto Legal)
• ANTS hack: data stolen on 12 million accounts (eplaque.fr)

Verification tools

• Have I Been Pwned: email lookup
• Have I Been Pwned: French Citizens page (monitor for possible indexing of the ANTS breach)
• Perceval platform (report identity theft)

Technical references

• OWASP: Broken Access Control (A01:2021)
• CNIL: Understanding and complying with GDPR
• ANSSI: Security recommendations