Back

Massive Breach of France Titres Exposes 11.7 Million Citizen Records

Severity: High (Score: 68.0)

Sources: www.decryptiondigest.com, www.safestate.com, Rescana, darkwebinformer.com, www.helpnetsecurity.com

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: titres, ants, government, france, identity, french, agency

Severity indicators: breach, government

Summary

On April 24, 2026, France Titres confirmed a breach of its identity portal, compromising 11.7 million citizen accounts. The breach was attributed to a group of threat actors known as EvilDump, ExtaseHunters, and Breach3d, who claimed to have extracted between 18 and 19 million records. The attack exploited an Insecure Direct Object Reference (IDOR) vulnerability in the ANTS API, allowing unauthorized access to sensitive user data. Affected records include full names, dates of birth, addresses, and unique identifiers, posing significant risks for identity fraud and phishing attacks. The dataset is currently being offered for sale on dark web forums. French authorities, including ANSSI and CNIL, are investigating the breach and have notified affected users. The incident highlights the vulnerabilities in government systems that manage sensitive identity data. Key Points: • 11.7 million citizen records compromised due to an IDOR vulnerability in the ANTS API. • Threat actors are selling the dataset on dark web forums, increasing risks of identity fraud. • The breach affects both individual and professional accounts, with government-verified identity data.

Detailed Analysis

**Impact** 11.7 to 19 million French citizen records were compromised, representing roughly one-third of France’s population. Affected data includes government-validated full legal names, dates and places of birth, residential addresses, phone numbers, email addresses, civil status, unique account identifiers, and login credentials for both individual and professional users. The breach impacts the French public sector, including identity verification for passports, driver’s licenses, vehicle registrations, and national identity cards. The data’s government-verified status increases risks of identity fraud, SIM-swap attacks, spear-phishing, and impersonation across financial, healthcare, and administrative services. **Technical Details** The breach exploited an Insecure Direct Object Reference (IDOR) vulnerability in the ANTS API, allowing unauthorized enumeration and extraction of user records via manipulated request parameters. No malware or credential stuffing was involved; the attack relied on direct API manipulation. The threat actors—EvilDump, ExtaseHunters, and breach3d—exfiltrated data through structured database extraction. The incident maps to MITRE ATT&CK techniques including Exploitation of Remote Services (T1210), Automated Collection (T1119), and Valid Accounts (T1078). No CVEs or malware indicators were reported. **Recommended Response** Immediately audit and remediate API authorization controls to prevent IDOR vulnerabilities, ensuring strict validation of user-supplied parameters. Deploy monitoring for unusual API access patterns and implement rate limiting to detect automated data extraction attempts. Notify affected users and regulatory bodies, and enhance phishing detection and user awareness programs to mitigate social engineering risks. Continue investigation to identify any secondary compromise or lateral movement within the infrastructure.

Source articles (5)

  • France Titres (ANTS) Identity Portal Breach: Massive IDOR Vulnerability Exposes Millions of ... — Rescana · 2026-06-09
    On April 15, 2026, the French government’s official identity document portal, operated by Agence nationale des titres sécurisés (ANTS) , also known as France Titres , detected a significant security b…
  • France Titres Ants Breach 11 Million Identity Records — www.decryptiondigest.com · 2026-06-09
    France Titres — the French government agency that manages passport applications, driver's licence renewals, and national identity card issuance for every French citizen — confirmed on April 24, 2026 t…
  • Frances National Id Agency Ants Allegedly Breached 18 Million Citizen Records With Government Verified Identities Listed For Sale — darkwebinformer.com · 2026-06-09
    A group of threat actors (EvilDump, ExtaseHunters, and Breach3d) claims to have compromised ANTS (Agence Nationale des Titres Securises), the French government agency responsible for issuing and manag…
  • France Titres Online Portal Data Breach — www.helpnetsecurity.com · 2026-06-09
  • French Government Agency Data Breach Hits Up To 19 Million Citizens — www.safestate.com · 2026-06-09

Timeline

  • 2026-04-15 — Security breach detected at France Titres: The breach was identified, exposing personal data from millions of user accounts through an IDOR vulnerability.
  • 2026-04-16 — Threat actors claim responsibility: A group of threat actors posted on criminal forums, claiming to have access to 18-19 million records for sale.
  • 2026-04-24 — France Titres confirms breach: The agency confirmed the breach, revealing the scale of compromised accounts and the nature of the data exposed.

Related entities

  • Credential Stuffing (Attack Type)
  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Sql Injection (Attack Type)
  • France Titres (Company)
  • France Titres ANTS (Company)
  • France (Country)
  • Cwe-89 - SQL Injection (Cwe)
  • ants.gouv.fr (Domain)
  • rescana.com (Domain)
  • [email protected] (Email)
  • Financial (Industry)
  • Government (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1119 - Automated Collection (Mitre Attack)
  • T1210 - Exploitation Of Remote Services (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • API (Platform)
  • Windows (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed