France Titres Breach Exposed Up to 19 Million Identity Records
France Titres, the French agency formerly known as ANTS and responsible for identity and registration documents, confirmed a breach of its ants.gouv.fr portal after threat actor breach3d advertised a trove of stolen records for sale on cybercrime forums. The agency said the compromised data may include login IDs, full names, email addresses, dates and places of birth, account identifiers, and in some cases postal addresses and phone numbers from both individual and professional accounts. Other reporting on the sale listings said the dataset could contain 18 million to 19 million records, including fields indicating government-verified identities, raising the risk of phishing, social engineering, and identity fraud if the claims are fully accurate.
French authorities said unusual activity was identified in mid-April and launched parallel technical and judicial investigations involving ANSSI, CNIL, the Paris Public Prosecutor, and anti-cybercrime investigators. Prosecutors later announced the arrest of a 15-year-old suspect in connection with the case after records linked to the agency were allegedly offered for sale online, and said the inquiry covers unauthorized access, persistence, and extraction of personal data from a state-operated system. France Titres has notified affected individuals and said the stolen information does not provide direct access to user accounts or the portal itself, while warning citizens to remain alert for follow-on scams and impersonation attempts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Judicial investigation is formally opened in ANTS leak case
French prosecutors formally opened a judicial investigation into the ANTS data leak case. The move escalated the case from a preliminary criminal investigation to judge-led proceedings.
French authorities arrest 15-year-old in ANTS data leak case
French authorities announced the arrest of a 15-year-old minor in connection with the ANTS/France Titres data leak. Prosecutors sought charges and judicial supervision while the investigating judge continued overseeing the inquiry.
France Titres publicly discloses breach and begins notifications
France Titres confirmed the cyberattack and warned that the stolen personal data could be used for phishing, social engineering, and identity theft, while stating the data did not provide direct access to user accounts or the portal. The agency began notifying affected individuals and involved CNIL, ANSSI, law enforcement, and external cybersecurity experts.
Paris prosecutor opens criminal investigation into ANTS intrusion
The cybercrime section of the Paris prosecutor's office opened an investigation into fraudulent access, persistence, and extraction of personal data from a state-operated system. This followed notification to French anti-cybercrime authorities about the attack and sale of the data.
France Titres detects breach affecting ants.gouv.fr portal
France Titres said it detected the breach affecting its ants.gouv.fr portal on April 15, 2026. The exposed data may include login IDs, names, email addresses, birth dates, account identifiers, and in some cases postal addresses, places of birth, and phone numbers.
Stolen ANTS data is advertised for sale on cybercrime forums
Threat actors including breach3d, and in some reports EvilDump and ExtaseHunters, advertised a purported ANTS/France Titres database for sale. The offered dataset was described as containing roughly 12 to 19 million citizen records with sensitive identity information.
ANTS detects unusual activity on its network
France Titres/ANTS identified unusual activity on its network, marking the earliest known detection of the incident. Prosecutors later said this occurred on April 13, 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
France Titres data breach: 19 million records allegedly stolen | brief | SC Media
scworld.com
Open sourceFrench government agency admits data breach as hacker alleges up to 19 million sensitive records stolen - breach may have exposed 'data from individual and professional accounts' | TechRadar
techradar.com
Open sourceCP - Interpellation dans l'affaire des fuites données ANTS | Parquet de Paris - Procureure, Laure Beccuau | 42 comments
linkedin.com
Open sourceFrance's National ID Agency ANTS Allegedly Breached, 18 Million Citizen Records With Government-Verified Identities Listed for Sale
darkwebinformer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyberattack on France’s ANTS portal may have exposed identity document user data
France’s Interior Ministry disclosed a cyberattack on the National Agency for Secure Documents (**ANTS**) portal, `ants.gouv.fr`, the government platform used to manage passport, national ID card, residence permit, and driver’s license applications. Detected on April 15, the incident may have exposed personal data tied to individual and professional accounts, including login identifiers, names, email addresses, dates of birth, and account IDs, with some records also potentially containing postal addresses, places of birth, and phone numbers. Officials said uploaded administrative documents were not compromised and that the exposed data cannot be used to directly access ANTS accounts. French authorities reported the breach to **CNIL**, notified prosecutors, and alerted the national cybersecurity agency as investigators work to determine the scope, origin, and impact of the intrusion. The number of affected users has not been disclosed, but impacted individuals are being notified and urged to watch for suspicious messages. Separately, an unverified threat actor has claimed to be selling a dataset allegedly stolen from ANTS containing roughly **18–19 million** records, heightening concerns over identity theft and fraud if the claim is confirmed.
May 13, 2026
French Education Breaches Expose Data on 1.7 Million People
French education authorities disclosed two significant breaches affecting both public and Catholic school administration systems. The Ministry of National Education said its `Compass` platform, used to manage trainee teachers in primary and secondary education, was compromised after a user reportedly opened a fraudulent email attachment and had credentials stolen. The incident exposed data on about **243,000 people**, including identity and contact details, absence periods, and the identities and professional phone numbers of tutors, though the ministry said no health data was involved. ANSSI was brought in, a crisis cell was opened, and the ministry announced a security plan centered on **multi-factor authentication**, stronger data segmentation, and reduced application exposure. Separately, the Secrétariat général de l’enseignement catholique reported a cyberattack on its management application for nursery and elementary schools that affected about **1.5 million people**. Unauthorized access exposed identification data for application users and contact information for students, families, and teachers, including names, postal and email addresses, phone numbers, and dates of birth, increasing the risk of phishing. The organization said it secured access, suspended affected services, notified authorities including the French Ministry of Education, and engaged specialist responders, while a forum user calling themselves **"Ryolait"** allegedly offered the stolen database for sale starting at **$2,000**. The incidents add to mounting concern over weak security in the education sector, which ANSSI has described as a frequent target of opportunistic attacks.
Mar 26, 2026
Unauthorized Access to France’s FICOBA Bank Account Registry Exposes 1.2 Million Accounts
France’s Ministry of the Economy and Finance confirmed that an attacker **accessed and consulted data tied to ~1.2 million French bank accounts** by using **stolen login credentials** belonging to an authorized government user of the national bank account registry (*FICOBA*). The intrusion began in **late January 2026** and exposed account-linked personal data including **IBANs**, account holder **names**, **addresses**, and in some cases **tax identification numbers** (DGFiP-issued). Authorities stated the access did **not** enable viewing balances or initiating transactions. After detection, the ministry reported it **blocked the attacker**, notified France’s data protection authority (**CNIL**), and **filed a criminal complaint**; impacted individuals are expected to be contacted directly, and **banks were alerted** to advise customers to remain vigilant. Reporting noted the incident follows other recent cyber disruptions affecting French public services (including attacks impacting **La Poste/La Banque Postale** and the **Interior Ministry**), though no motive or attribution for the FICOBA access has been publicly confirmed.
Apr 7, 2026