France Titres (ANTS) — 11.7 million citizen records via IDOR

In mid-April 2026 the Agence Nationale des Titres Sécurisés (ANTS) — the French national agency that issues and manages identity documents, driving licences and vehicle registration through the ants.gouv.fr portal — detected a security incident on its citizen-facing platform. The Ministry of the Interior confirmed on 21 April that approximately 11.7 million accounts had been affected; reporting from cyber-security researchers and the attacker’s own boasts placed the upper bound between 18 and 19 million records exfiltrated. Compromised fields included name, date of birth, email address, login identifier and the ANTS unique account identifier. The Ministry stated that uploaded attachments — copies of identity documents and proofs of address — were not compromised.

The exploited vulnerability has been reported as an Insecure Direct Object Reference (IDOR) flaw on the citizen portal, which the attacker described publicly as “really stupid” — modifying a single identifier in an API request returned another user’s account data, with no authorisation check. The Ministry of the Interior has not yet formally confirmed the technical mechanism in its public communications.

French authorities detained a 15-year-old suspect on 25 April, operating online under the alias “breach3d” and offering the dataset for sale on a breach forum. Paris prosecutors opened a formal investigation on 30 April and the minor has been placed under judicial supervision, charged with unauthorised access, data exfiltration and possession of offending software. The maximum sentence under French law is seven years’ imprisonment and a €300,000 fine.

A deep-dive will follow once ANTS publishes a full post-incident technical disclosure, the IDOR vulnerability is formally confirmed, and the CNIL (French data-protection regulator) has weighed in on the breach-notification and design-failure implications.