France's Secure ID Agency Investigates Alleged Breach of Up to 19 Million Records

French officials confirm a security incident at the ants.gouv.fr portal after criminals claimed to have stolen 18‑19 million identity records, roughly a third of the population. The agency says exposed data includes names, emails, birthdates and addresses but not procedural attachments.

Context: The ants.gouv.fr portal is operated by France’s National Agency for Secure Titles, which issues passports, ID cards, driver’s licenses and vehicle registrations. The Interior Ministry acknowledged the incident on April 15, noting that technical investigations by ANTS teams and government cyber‑security services are underway to determine the origin and extent of the leak.

Key Facts: Criminal actors using the aliases “breach3d” and “ExtaseHunters” posted on underground forums claiming to have exfiltrated between 18 and 19 million records. They describe the data as a “structural” compromise rather than a recycled dump. The agency has not validated the count but confirmed that the exposed information does not include attachments submitted during application procedures and, according to its notice, does not allow unauthorized access to portal accounts. No specific vulnerability or attack vector has been disclosed publicly.

What It Means: If the claim is accurate, the breach would affect a significant portion of French citizens, increasing risks of identity theft, phishing and credential‑stuffing attacks. Defenders should enforce multi‑factor authentication on all public‑facing services, monitor for anomalous login attempts (MITRE ATT&CK T1078), and deploy web‑application firewalls to block exploitation of public‑facing apps (MITRE ATT&CK T1190). Patching known vulnerabilities in web frameworks and reviewing access logs for the ants.gouv.fr domain are immediate steps. Organizations that rely on French identity verification services should validate any incoming data against trusted sources and consider additional verification layers.

Investigators will continue to trace the leak’s origin and watch for the data’s appearance on underground markets.