France's Agence nationale des titres sécurisés (ANTS), the government body managing national IDs, passports, driver's licenses, and vehicle registrations, confirmed a security incident on April 20, 2026 after detecting anomalous activity on its ants.gouv.fr portal on April 15. A threat actor operating under the handle "breach3d" claims to hold between 18 and 19 million records lifted from the moncompte.ants.gouv.fr API, and is advertising the dataset on a cybercrime forum. The French Ministry of the Interior has published an official communiqué, but independent research from FrenchBreaches and journalist coverage suggest the exposure is significantly broader than the government acknowledges.

What Happened

On April 15, 2026, ANTS detected suspicious activity on its citizen-facing portal. Five days later, the agency publicly confirmed an incident affecting ants.gouv.fr, the single gateway French citizens use to apply for and renew state-issued identity documents. While the official statement from the Ministère de l'Intérieur remains deliberately vague on scope, a threat actor calling themselves "breach3d" surfaced on a cybercriminal forum claiming responsibility and offering a dataset of 18 to 19 million records for sale. The attacker reportedly described the underlying vulnerability as "really stupid," indicating a trivial exploitation path against a high-value government asset.

What Was Taken

The exposed records correspond to French citizens who have interacted with the ANTS portal to process secured identity documents. According to reporting, the dataset includes full names, dates and places of birth, postal addresses, phone numbers, and crucially a state-verified confirmation that each identity has been authenticated by the French government. This last attribute elevates the data well beyond a typical consumer breach: it represents a pre-validated civil identity profile, directly actionable for identity fraud, SIM swapping, loan fraud, and targeted social engineering. With 18 to 19 million records in circulation, roughly a quarter of France's population may be affected.

Why It Matters

ANTS is not a peripheral service. It is the production and distribution backbone for every major French identity credential: carte nationale d'identité, passport, driver's license, and carte grise. A breach of this scale and specificity hands criminals a turnkey identity-fraud toolkit pre-verified by the French state itself. The exposure also undermines trust in e-government platforms at a moment when the European Union is pushing digital identity wallets and centralized citizen portals. Defenders across the public sector should treat this as a warning that legacy API authorization weaknesses remain catastrophic when paired with high-value datasets.

The Attack Technique

The attacker exploited an Insecure Direct Object Reference (IDOR) vulnerability in the API serving moncompte.ants.gouv.fr. IDOR flaws allow an authenticated or weakly authenticated user to access records belonging to other users simply by modifying an identifier in an API request, because the server fails to enforce authorization checks tying the requested object to the calling session. By iterating through predictable identifiers, "breach3d" was able to scrape millions of citizen profiles at scale. IDOR is among the most documented and easily testable classes of web vulnerability, ranked under OWASP's Broken Access Control category, which makes its presence on a national identity portal particularly damning.

What Organizations Should Do

Sources: Fuite de données ANTS : vos titres d'identité sont peut-être entre les mains de hackers