"These 18 to 19 million files contain an impressive amount of personally identifiable information," a forum posting claims — a haul the seller says would represent roughly a third of France's population.
What the portal is and what officials disclosed
The intrusion centers on the ants.gouv.fr portal, run by the National Agency for Secure Titles — now rebranded as France Titers — the service that handles passports, ID cards, driver's licences and vehicle registrations. The French Interior Ministry confirmed a “security incident” affecting that portal, saying the theft was detected on April 15.
According to the ministry, personal data tied to user accounts may have been exposed, including login IDs, full names, email addresses, dates of birth, unique account identifiers, postal addresses and telephone numbers. The ministry stressed: "The disclosure of data does not include additional data submitted during the various procedures, such as attachments." It added that "This personal data does not allow unauthorized access to the portal account."
Technical investigations began as soon as the incident was detected and "are ongoing," the ministry said, and are being conducted by ANTS teams and the relevant services to "determine precisely the origin and extent of the incident."
The forum seller's claim and how they describe the breach
A cybercriminal operating under the aliases "breach3d" and "ExtaseHunters" has posted in criminal forums claiming to have broken into the agency’s internal infrastructure and taken between 18 and 19 million records. The seller describes the compromise as "structural" and fresh, not a re‑packaged collection of old leaks, and is actively offering the dataset for sale.
In the listing the attacker mocked the government's cyber defences: "It seems the French government would do better to stick to the culinary arts: their digital defenses are as crumbly as their croissants." So far, the government has not confirmed the seller's numbers, and there is no public detail about the attackers' method of entry or how long they may have had access.
This incident in the context of recent public‑sector intrusions
The timing comes amid a run of public‑sector security incidents in France. The Education Ministry recently disclosed an intrusion that involved impersonation of an authorized staff account, which gave attackers access to a service linked to the ÉduConnect platform used by students and families. Earlier this year attackers gained access to part of France's national bank account registry, exposing data tied to around 1.2 million accounts.
Whether the ANTS incident ultimately matches the scale claimed on the forums or is smaller in scope, it arrives against that backdrop — and not the kind of headline an agency whose core mission is protecting identity data wants to see.
What this means for ANTS teams, the French Interior Ministry, and the public
- ANTS teams and internal responders: they are leading the technical investigation and will focus on determining "the origin and extent of the incident," as the ministry put it — including whether the compromise involved internal infrastructure or exposed additional types of data.
- The French Interior Ministry and relevant services: they must decide whether to confirm the scale of the seller's claim and, if warranted, issue notifications or mitigation guidance. The ministry has already drawn a distinction between account metadata exposed and the attachments submitted during procedures.
- Members of the public whose records could be involved: the list of potentially exposed fields — names, dates of birth, emails, postal addresses, telephone numbers and unique account identifiers — is precisely the kind of information that can be used for targeted scams, social engineering or identity fraud, even if it does not grant direct access to portal accounts, according to the ministry's note.
Where the record stands and the next concrete step
At present the concrete, confirmed facts are narrow: an incident detected on April 15, a government notice describing certain account fields that "may" have been exposed, and ongoing technical investigations led by ANTS teams and relevant services. The larger claim — 18 to 19 million records — is being peddled on criminal forums by an actor calling themselves "breach3d" or "ExtaseHunters," who insists the dataset is fresh and structural. The government has not corroborated that figure, nor released technical detail on the attack vector or dwell time.
For an agency tasked with keeping identity data under lock and key, the immediate next step is the outcome of the technical probe: whether investigators can trace the origin, measure the full extent of the data involved, and validate or refute the marketplace claim. Until that work is done, the gap between a forum posting and an official, forensic finding will remain the central unresolved fact in this story — and for millions of people it will be the difference between an alarming claim and a confirmed loss of personal information.
