France Titres Confirms a Breach Affecting 11.7 Million People: Passports, Licenses, National IDs

France Titres Confirms a Breach Affecting 11.7 Million People: Passports, Licenses, National IDs

France Titres — the French government agency that manages driver's licenses, passports, and national identity cards — has confirmed a data breach affecting 11.7 million people. A hacker operating under the moniker "breach3d" breached the agency on April 15, 2026, and is now offering to sell the stolen data. The compromised records include login credentials, full names, email addresses, dates of birth, home addresses, and phone numbers.

What Was Taken

The breach affected the ANTS (Agence Nationale des Titres Sécurisés) portal, which French citizens use to apply for and manage official identity documents. The hacker initially claimed 19 million affected accounts; France Titres confirmed 11.7 million. The discrepancy likely reflects duplicate or inactive accounts in the original claim.

The compromised data is a high-value target for identity theft and phishing. A full name, date of birth, address, email, and phone number is enough to convincingly impersonate someone in social engineering attacks, SIM swap fraud, or targeted phishing campaigns that reference real personal details to appear legitimate.

The Official Response

France Titres stated that the exposed data "does not allow unauthorized access" to government portals — meaning the breach does not directly enable document fraud. French data protection authority CNIL, the Paris Public Prosecutor, and cybersecurity agency ANSSI are all investigating. The agency has recommended users remain "vigilant against phishing attempts."

"Remain vigilant against phishing" is the government's universal response to breaches involving exactly the data that makes phishing effective. The practical advice is more specific: if you have a France Titres account, change your password on any other service where you used the same credentials, and be deeply suspicious of any communication claiming to be from French government agencies in the coming weeks.

Why Government Document Agencies Are High-Value Targets

National ID and document management agencies hold uniquely persistent personal data — the kind that doesn't change after a breach. Credit card numbers can be cancelled. Email addresses can be changed. Your date of birth, full legal name, and national ID number cannot. A breach of this type has a long tail: the data remains useful for fraud and social engineering for years after the initial incident.

My Take

The April 15 breach date and April 23 public confirmation is an eight-day gap during which 11.7 million people had no way to protect themselves. CNIL's investigation and the prosecutorial referral are appropriate responses — but they don't help the people whose data is already on a marketplace. France should move faster on breach notification timelines for incidents of this scale. Eight days is too long.

Related Articles

Sources