Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on ScamWatchHQ.com →

France’s national identity document agency has confirmed what millions of citizens fear most: their government’s records of who they are — names, birth dates, contact details, addresses — have been stolen and are being sold on criminal forums. The breach at ANTS (Agence Nationale des Titres Sécurisés), confirmed April 22, 2026, exposed the personal records of at least 11.7 million accounts. The threat actor behind it is claiming as many as 19 million.

This is not a corporate data breach involving loyalty points or shopping history. ANTS is the French government agency that issues and manages national identity cards, passports, driving licenses, and other official documents for every citizen in France. Its database is, by definition, a comprehensive registry of who French citizens are.

What ANTS Is — and Why This Breach Matters

ANTS — the Agence Nationale des Titres Sécurisés — operates under the French Ministry of the Interior. It manages the issuance of identity documents for France’s 68 million citizens, as well as residents and foreign nationals with French documentation. Its ANTS portal allows citizens and professionals to apply for and track identity documents, driving licenses, vehicle registrations, and immigration papers.

The agency detected the breach on April 15, 2026. It publicly confirmed the incident on April 22 after a threat actor operating under the aliases “breach3d” and “ExtaseHunters” appeared on criminal forums advertising the stolen data for sale.

ANTS has since confirmed that 11.7 million accounts were materially compromised. The threat actor’s claim of 18–19 million records likely reflects the total size of the database accessed, including records that may not correspond to active accounts.

What Was Stolen

According to ANTS and independent analysis of the data samples circulating on criminal forums, the stolen records include:

  • Full legal names
  • Dates of birth
  • Places of birth
  • Email addresses
  • Phone numbers
  • Postal addresses
  • Unique account identifiers (login IDs)

Notably, ANTS has stated that document scans, passport photographs, and authentication credentials were not in the accessed systems — meaning the breach does not directly enable someone to create fraudulent identity documents. However, the combination of data that was stolen is more than sufficient to enable the next wave of attacks against these individuals.

How Stolen Identity Data Becomes a Scam

A database of 11.7 million verified, government-linked records — with names, birthdates, addresses, email addresses, and phone numbers — is extraordinarily valuable to cybercriminals, not because it enables forgery, but because it enables highly personalized fraud.

Consider what a scammer can do with this data:

Targeted phishing emails — An email that correctly states the recipient’s full name, date of birth, and home address, appearing to come from a government agency, is far more convincing than a generic phishing attempt. Victims are vastly more likely to click a link or provide additional information when the message demonstrates specific knowledge about them.

Voice phishing (vishing) — A caller who can recite your date of birth, address, and confirm your phone number as part of an “identity verification” call can pass as a legitimate government official in seconds. This data is perfect for building that script.

SIM-swap fraud — Phone numbers combined with personal identifying information are the core inputs for convincing mobile carriers to transfer a victim’s number to a criminal-controlled SIM. Once they have your number, they intercept two-factor authentication codes and gain access to banking and email.

Identity fraud applications — The combination of name, DOB, address, and email is sufficient to apply for credit, open accounts, or pass basic identity verification at financial institutions that rely on knowledge-based authentication.

Credential stuffing — If any of the exposed email addresses reuse passwords across services, those accounts are now at elevated risk from automated login attacks.

France’s data protection authority, the CNIL (Commission Nationale de l’Informatique et des Libertés), has been formally notified under Article 33 of GDPR, which requires breach notification to supervisory authorities within 72 hours of discovery. The Ministry of the Interior has also filed a criminal referral with the Paris Prosecutor under Article 40 of the Code of Criminal Procedure.

The investigation is being led jointly by French cybersecurity agency ANSSI (Agence nationale de la sécurité des systèmes d’information) and law enforcement.

Under GDPR, a breach of this scale at a government agency carries significant regulatory scrutiny. While government bodies face different liability structures than private companies, the CNIL has the authority to issue reprimands, require remediation, and publicly report on compliance failures.

What Affected Citizens Should Do

If you have ever used the ANTS portal — to apply for a passport, renew a driving license, register a vehicle, or manage immigration documents — you should assume your data was included in this breach.

Immediate steps:

  1. Be extremely skeptical of any contact claiming to be from a French government agency — by email, phone, or post — over the next several months. Scammers will use this data to run impersonation campaigns that appear legitimate because they reference your correct personal details.

  2. Change your ANTS portal password immediately, even though login credentials were not reportedly stolen. The combination of your email and personal data in criminal hands makes your accounts a priority target.

  3. Enable two-factor authentication on all accounts linked to your exposed email address, particularly banking, email, and government services.

  4. Monitor your credit reports for unauthorized applications. In France, you can request free credit reports through Experian, Equifax, or Creditreform.

  5. Be alert to SIM-swap attempts — if your phone unexpectedly loses signal for an extended period, contact your carrier immediately.

  6. Do not confirm personal details to unsolicited callers, even if they already appear to know information about you. That information may have come from this breach.

The Broader Pattern: Government Breaches Enable Future Fraud

This breach follows a now-familiar pattern: government identity infrastructure, trusted precisely because it holds authoritative records of who citizens are, becomes a force multiplier for fraud when it falls. The value of the ANTS dataset is not just the data itself — it is the legitimacy that comes with government-verified records.

When a scammer knows your name, birthdate, address, and contact details because they came from the agency that issued your passport, every impersonation attempt they make carries an implicit authority that random scraped data cannot replicate.

This is why government identity database breaches are categorically more dangerous than commercial breaches. And it is why affected individuals need to treat themselves as permanently elevated-risk targets for personalized fraud attempts — not just in the weeks after the breach, but for years to come.

Sources: TechCrunch · Cybernews · The Register · BleepingComputer