Executive Summary
On April 15, 2026, the French government’s official identity document portal, operated by Agence nationale des titres sécurisés (ANTS), also known as France Titres, detected a significant security breach. The incident exposed personal data from both individual and professional user accounts, including names, email addresses, dates and places of birth, login credentials, unique account identifiers, postal addresses, and phone numbers. Uploaded documents, such as scanned IDs, were not compromised. The breach was caused by an Insecure Direct Object Reference (IDOR) vulnerability in the ANTS API, which allowed unauthorized access to user data by manipulating request parameters. A threat actor using the alias “breach3d” claimed responsibility and offered the dataset—allegedly containing up to 19 million records—for sale on criminal forums. The French authorities have notified affected users, regulatory bodies, and law enforcement, and have implemented additional security measures. The most immediate risks are targeted phishing and long-term identity fraud, given the nature and permanence of the compromised data. Investigations are ongoing, and the full scope of the breach is still being established.
Technical Information
The breach at ANTS/France Titres was executed through exploitation of an Insecure Direct Object Reference (IDOR) vulnerability in the agency’s API. An IDOR vulnerability occurs when an application provides direct access to objects based on user-supplied input, without proper authorization checks. In this case, the attacker was able to manipulate parameters in API requests to enumerate and extract records belonging to other users, bypassing authentication and authorization controls. This type of vulnerability is classified under the OWASP Top 10 as a common and critical web application security flaw.
Technical analysis confirms that no malware, credential stuffing, or phishing was involved in the initial compromise. The attacker, self-identified as “breach3d,” described the flaw as “elementary” and “really stupid,” indicating a lack of basic access controls on sensitive endpoints. The attack did not require sophisticated tooling; direct API manipulation was sufficient to access large volumes of user data.
The compromised data includes login credentials, full names, email addresses, dates and places of birth, unique account identifiers, postal addresses, phone numbers, and, in some cases, gender and civil status. Notably, uploaded documents such as scanned identification or proof of address were not affected. The combination of exposed fields creates a comprehensive profile for each user, increasing the risk of targeted phishing and identity fraud.
The incident was detected on April 15, 2026. On April 16, 2026, the threat actor posted a claim on criminal forums, offering the dataset for sale. The dataset has not been publicly leaked but remains a private listing, which means the information has not yet circulated freely on the criminal market. The agency confirmed that the exposed data alone would not allow direct access to user accounts or the reissuance of official documents.
The attack has been mapped to the MITRE ATT&CK framework as follows: - Initial Access (TA0001): Exploitation of Remote Services (T1210), representing the exploitation of the IDOR vulnerability in the API. - Collection (TA0009): Automated Collection (T1119), reflecting the automated extraction of user data via API requests. - Credential Access (TA0006): Valid Accounts (T1078), though the primary vector was IDOR rather than misuse of valid credentials.
The threat actor’s motivation appears to be financial, as evidenced by the private sale of the dataset. There is no indication of ransomware deployment, destructive activity, or persistent access within the infrastructure. The breach fits a recent pattern of attacks on French public sector digital services, including the Education Ministry and National Bank Accounts File earlier in 2026.
The agency has complied with legal and regulatory requirements, notifying the CNIL (France’s data protection authority), ANSSI (national cybersecurity authority), and the Paris Public Prosecutor. The Office anti-cybercriminalité (OFAC) is leading the technical investigation. Affected users have been notified, and the agency has issued warnings about potential phishing attempts leveraging the compromised data.
The technical root cause—IDOR in the ANTS API—is confirmed with high confidence based on multiple primary sources and technical analysis. Attribution to “breach3d” is supported by dark web monitoring but lacks law enforcement confirmation or technical artifacts linking the actor to previous campaigns.
Affected Versions & Timeline
The breach affected the ANTS/France Titres online portal, specifically the API endpoints responsible for managing identity document applications and user accounts. Both individual and professional accounts were impacted. The agency has not disclosed the specific software versions or API endpoints involved, but the vulnerability was present in the production environment as of April 15, 2026.
The verified timeline of events is as follows: On April 15, 2026, the breach was detected by ANTS/France Titres. On April 16, 2026, the threat actor “breach3d” claimed possession of 18–19 million records and offered the dataset for sale on criminal forums. Between April 20 and April 22, 2026, the agency publicly disclosed the incident, notified affected users, and informed regulatory and law enforcement bodies. The investigation and user notifications are ongoing as of April 30, 2026.
The agency has confirmed that uploaded documents were not compromised and that the exposed data alone does not permit unauthorized access to user accounts. The full scale of the breach is still being established, and the number of affected users has not been officially disclosed.
Threat Activity
The threat actor responsible for the breach, operating under the alias “breach3d,” exploited the IDOR vulnerability to extract user data from the ANTS API. The actor posted a claim on criminal forums on April 16, 2026, offering the dataset for sale. The dataset reportedly contains between 18 and 19 million records, including full names, contact details, birth data, home addresses, account metadata, gender, and civil status. These fields go beyond what the agency officially confirmed as exposed, suggesting that investigators are still reconciling the agency’s audit with the attacker’s claims.
The dataset has not been publicly leaked and remains a private listing, indicating a financially motivated actor rather than a hacktivist or state-sponsored group. Security researchers have noted that the attacker described the vulnerability as “elementary,” and technical analysis supports the conclusion that no advanced tooling or malware was used.
The combination of exposed data fields enables highly targeted phishing and social engineering attacks. Fraudsters can craft convincing messages that reference accurate personal details, increasing the likelihood of successful identity fraud. The presence of professional account data also raises concerns for businesses that interact with the ANTS portal, such as vehicle dealers and administrative service providers.
The breach follows a recent trend of attacks on French public sector digital services, including the Education Ministry and National Bank Accounts File earlier in 2026. There is no evidence of targeting outside the French government or administrative sector in this campaign.
Attribution to “breach3d” is supported by multiple dark web monitoring sources but lacks law enforcement confirmation or technical artifacts linking the actor to previous campaigns. There is no evidence of ransomware, destructive activity, or persistent access within the infrastructure.
Mitigation & Workarounds
The following mitigation and workaround recommendations are prioritized by severity:
Critical: Immediate remediation of the IDOR vulnerability in the ANTS API is essential. This includes implementing strict access controls, validating user authorization for all API endpoints, and conducting a comprehensive security review of the application’s access control mechanisms.
High: Notify all affected users and provide clear guidance on recognizing and reporting phishing attempts. Given the nature of the compromised data, users should be advised to exercise extreme caution with any communication purporting to be from ANTS or related government services.
High: Monitor for signs of identity fraud and targeted phishing campaigns leveraging the compromised data. This includes collaboration with financial institutions, law enforcement, and other government agencies to detect and respond to fraudulent activity.
Medium: Conduct a thorough audit of all API endpoints and web applications for similar vulnerabilities. Implement automated security testing and code review processes to identify and remediate access control flaws.
Medium: Enhance user authentication mechanisms, such as implementing multi-factor authentication (MFA) for both individual and professional accounts, to reduce the risk of unauthorized access in the event of future data exposure.
Low: Provide ongoing security awareness training for staff and users, emphasizing the risks of phishing and social engineering attacks following a data breach.
The agency has already implemented additional security measures to maintain portal operations and protect user data. Regulatory notifications have been made to CNIL, ANSSI, and the Paris Public Prosecutor, and a criminal investigation is underway.
References
https://therecord.media/france-cyberattack-agency-passports (April 20, 2026)
https://www.helpnetsecurity.com/2026/04/22/france-titres-online-portal-data-breach/ (April 22, 2026)
https://www.safestate.com/post/french-government-agency-data-breach-hits-up-to-19-million-citizens (April 30, 2026)
https://www.decryptiondigest.com/blog/france-titres-ants-breach-11-million-identity-records
About Rescana
Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor security risks in their digital supply chain. Our platform enables continuous monitoring of vendor security posture, automated risk assessments, and actionable insights to support compliance and incident response. For questions about this report or to discuss how Rescana can support your organization’s risk management needs, please contact us at ops@rescana.com.
