France Titres (ANTS) — 11.7 million citizen records via IDOR

What happened

The Agence Nationale des Titres Sécurisés (ANTS), rebranded as France Titres in late 2024, is the French interior-ministry agency responsible for issuing and renewing every passport, national identity card, driving licence and vehicle registration document in France. Almost every adult French resident has an account on its portal, ants.gouv.fr. On or around 13 April 2026, an attacker discovered that the portal’s API, served from moncompte.ants.gouv.fr, would return any account’s data to any authenticated user who supplied the corresponding numeric identifier in the request. No further authentication, authorisation, role check or rate-limiting was required. The attacker scripted the call and harvested records in bulk over a period that has not been publicly disclosed but appears to have been measured in days rather than weeks.

The Ministry of the Interior publicly confirmed the incident on 15 April 2026 and, after the scope became clearer, issued an updated communiqué on 21 April stating that approximately 11.7 million accounts had been affected. The attacker — posting as “breach3d” on a Russian-language criminal forum — listed a dataset variously described as containing 18 or 19 million records, and uploaded samples to support the claim. The discrepancy between the official figure and the listed figure has not been formally reconciled; reporting suggests the listing may include duplicates, expired accounts and test records that ANTS does not count in its active-citizen total.

The compromised fields, per the Ministry, comprise full name, date of birth, login identifier, email address, and the ANTS unique account number. Some records also include postal address, place of birth and a phone number. Uploaded attachments — scanned identity documents, proofs of address, photographs — were held on a separate storage tier and were not, the Ministry has stated, accessed or exfiltrated.

The Paris Public Prosecutor’s cyber unit was notified on 16 April. A 15-year-old French national was detained on 25 April. The minor was charged on 30 April under articles of the French penal code covering unauthorised access to and maintenance within an automated data-processing system operated by the State, large-scale extraction of personal data, transmission of that data, and the possession of cyber-intrusion tools — together carrying a maximum sentence of seven years’ imprisonment and a €300,000 fine. He has been placed under judicial supervision pending trial. ANTS notified CNIL, the French data-protection authority, under Article 33 of the GDPR, and notified ANSSI, the French national cyber agency, in parallel.

How it worked

The vulnerability class is one of the oldest and most familiar in web security: Insecure Direct Object Reference, or IDOR. An IDOR exists when a server exposes a reference to an internal object — a database row, a file, an account — and the application trusts the value supplied by the client without independently checking that the calling user is entitled to see that object. The control failure is at the authorisation layer, not the authentication layer; the attacker is logged in as themselves, and the request is technically well-formed. The server simply does not ask the question “is the user behind this session allowed to read this row?” before answering.

In the ANTS case, the portal’s API exposed a per-account identifier — an integer — in URLs the user already saw in their own browser when navigating their own dashboard. Incrementing or otherwise iterating that integer in a request returned the corresponding account’s profile data without complaint. The attacker, in his own words to a French outlet, described the flaw as “really stupid”. From a defender’s perspective, that judgement is correct and structurally instructive: the missing control here is one of the cheapest and most well-known checks in modern web application development, and its absence on a citizen-data API operated by a national interior ministry is the part that warrants explanation more than the exploitation itself.

Three contextual factors deserve attention. First, IDOR vulnerabilities are not detected by traditional perimeter defences. They are not signature-matchable, do not generate anomalous packet patterns, and do not require any malware or exploit framework. They are detected by application-aware security testing — authenticated DAST, well-designed bug-bounty scope or manual code review — none of which appear to have caught this. Second, the missing rate-limiting compounds the failure: an authorisation gap with rate limits would have leaked individual records; an authorisation gap without rate limits is what bulk-exports an eight-figure dataset. Third, the attacker did not need to escalate privilege, pivot laterally or evade detection. The request that returned someone else’s data and the request that returned his own data were indistinguishable to the application stack he was talking to. Logging that records “user X accessed account Y” is only useful when somebody asks why user X accessed three million accounts before lunch; in the absence of that monitoring layer, the breach was effectively silent until the dataset showed up on a forum.

The defacement of the boundary between authentication and authorisation runs through almost every recent web-application breach worth filing. The ANTS case is its most teachable form because the technical mechanism is so plain that the broader argument can be made without distraction.

Timeline

• ~13 April 2026 — Initial exploitation of the IDOR vulnerability on moncompte.ants.gouv.fr begins; bulk extraction is scripted against the API.
• 15 April 2026 — Ministère de l’Intérieur publishes its first communiqué confirming an incident on the ANTS portal.
• 16 April 2026 — Paris Public Prosecutor’s cyber unit notified; criminal investigation opened.
• 17–20 April 2026 — “breach3d” lists 18–19 million records for sale on a criminal forum and taunts ANTS publicly.
• 21 April 2026 — Ministry of the Interior updates its communiqué, confirming 11.7 million affected accounts and the fields exposed; ANTS notifies CNIL under Article 33 GDPR and notifies ANSSI.
• 25 April 2026 — A 15-year-old French national is detained.
• 30 April 2026 — Paris prosecutors formally charge the minor and place him under judicial supervision; press release issued by Tribunal de Paris.

What defenders should learn

The headline lesson, which the application-security community will state with some weariness because it has stated it for fifteen years, is that authorisation has to be enforced server-side, per request, against every object identifier the client supplies. Defence-in-depth pieces around this — IDs that are unguessable, rate limits that catch enumeration, anomaly detection that flags an account reading three million records in a morning — are useful, but none of them are a substitute for the missing object-level access check. Where the responsibility for that control lives inside an organisation is its own question. In most modern stacks it belongs in the API gateway and the service layer together, and in a public-sector portal of this scale it would be expected to have been validated by independent application security testing as part of the system’s homologation.

The broader observation for anyone running a government-facing or financial-services-facing customer portal is that the modern blast-radius surface is the authorisation matrix on a small number of high-traffic API endpoints, not the network underneath them. A breach of this shape is not stopped by a firewall, an EDR agent, or a VPN; it is stopped by the application’s own logic recognising that the user behind a session is not entitled to the row it is being asked to return. That recognition is a segmentation control in everything but name. The work of building it — explicit object-level authorisation, per-route policy enforcement, monitoring of identifier enumeration patterns, and treating the API as a first-class component of the threat model rather than a transport layer — is now defender work, and the ANTS case is, at minimum, a useful prompt to ask whether anyone in the organisation has actually done it.