19 Million French IDs Stolen. The Next Email From Your Bank Could Be Real and Still Be a Scam
France just confirmed a massive data breach at ANTS, the agency that issues passports and national IDs. A hacker is selling up to 19 million records on the dark web. Names, addresses, birthdays, emails, phone numbers, all exposed. The next email that looks like your bank might be real, and still be a scam. What was stolen and what to do.
📅
✍️ Gianluca
19 Million French IDs Stolen. The Next Email From Your Bank Could Be Real and Still Be a Scam
On April 20, 2026, the French government confirmed what a thread on a dark web forum had already revealed five days earlier. ANTS, the Agence Nationale des Titres Sécurisés, the agency that handles the issuance and management of national IDs, passports, driving licences, and immigration documents in France, was breached. The intrusion was detected on April 15. By the time the public statement landed, a threat actor using the alias breach3d was already advertising a database of 19 million records for sale. The Ministry of the Interior puts the number of affected accounts closer to 11.7 million. Either way, this is one of the largest leaks of state-issued identity data the European Union has ever seen.
What ANTS Confirmed
The official communiqué from the Ministry of the Interior is sober and narrow in scope. ANTS detected a security incident that may involve the disclosure of data from individual and professional accounts on the ants.gouv.fr portal. The agency notified the CNIL, the French data protection authority, filed a complaint with the Paris public prosecutor, and engaged ANSSI, the national cybersecurity agency. On April 24, ANTS took the entire portal offline for maintenance, suspending document requests and tracking while the investigation continues.
As of the latest update, professional account holders have been notified by email. Notifications to individual users are still being processed in waves. The agency has not disclosed the attack vector, whether the breach was the result of a vulnerability in the portal, a stolen credential, or a compromised third party. What it has confirmed is the type of data accessed.
What Was Stolen
According to the official statement and the listing on the dark web forum, the stolen records may include full names, dates and places of birth, postal addresses, email addresses, phone numbers, login identifiers, account metadata, civil status, gender, and a unique internal identifier tying each record to a specific portal account. Financial data, government document numbers themselves such as passport numbers or national ID numbers, and biometric data are not, as of this writing, listed in the leaked dataset. That distinction matters less than it sounds.
Why a Name and an Address Are Already Enough
A common reaction to data breaches like this is reassurance. No card numbers were leaked, no passwords, no document images. The reasoning is that without a credential or a financial identifier, an attacker cannot do much. That reasoning is wrong, and it is wrong in a specific way that has become the dominant mode of fraud in the past two years.
A modern phishing operation does not need your password. It needs context. It needs to know that you live at this specific address, that you applied for a passport renewal in February, that your phone number ends in these four digits, that your full legal name is spelled exactly this way. With those ingredients, an attacker can produce an email, an SMS, a WhatsApp message, or a phone call that is indistinguishable from a real one. Not because the attacker is clever, but because the message is built on data that, in the victim's mind, only the legitimate sender could possibly know.
The Scam That Looks Real Because It Partly Is
Imagine an email arriving in your inbox in two weeks. It addresses you by your full legal name. It references your real postal address. It mentions, correctly, that you have an account on the ants.gouv.fr portal and that your last interaction was a passport renewal. It claims that, as a consequence of the ANTS incident, your bank has been informed and is asking you to confirm a recent transaction by clicking a link. The link points to a domain that looks plausible. The page on the other side is a clean copy of your bank's login screen.
Nothing about that email needs to be sent by your bank for the scam to work. The bank itself may be entirely outside the chain. The email may even be triggered by a real event, a piece of correspondence you actually received, a notice you actually have to act on. The scam works precisely because it overlaps with reality. Some of the details are accurate. The attacker is, in effect, performing your administrative life on your behalf, badly enough to defraud you, well enough to be believed.
The Aggregation Problem
The ANTS dataset does not exist in isolation. It will be cross referenced, by criminals, with other leaked datasets. Booking.com customer records from earlier in April. Insurance broker leaks from last year. Healthcare portal exposures going back further. Each individual breach is bounded. The composite, rebuilt by anyone willing to stitch the pieces together, is a near complete profile of an ordinary citizen, suitable for impersonation against any service that asks security questions based on personal information.
This is the part the term data breach struggles to convey. The damage is not the leaked file. The damage is the next file that joins it.
What to Actually Do
Standard advice for breach victims, change your password, enable two-factor authentication, monitor your accounts, applies but is not the most important takeaway here. The more useful shift is in how you treat incoming communication for the next several months.
Default to Suspicion, Especially When the Message Looks Right
The instinct to trust an email or a phone call goes up when the sender knows accurate details about you. Reverse that instinct. After a breach of this size, accurate details are a tell, not a guarantee. If a message references your address, your recent interaction with a public portal, or a specific document you applied for, that is the moment to slow down, not the moment to comply.
Never Respond Through the Channel You Were Contacted On
If your bank emails you about a transaction, do not click the link in the email. Open a new browser tab, type the bank's URL by hand, and log in there. If a courier service texts you about a customs fee, do not call the number in the SMS. Look up the courier's number on the official website. If ANTS or the Ministry of the Interior emails you, the same rule applies. Verify by reaching the agency on the channel you control, not the one the sender chose.
When in Doubt, Contact Your Advisor Directly
If you have a banker, an insurance agent, an accountant, or a legal contact, use them as a verification layer. A two minute phone call to a person you actually know is faster, more reliable, and less risky than parsing the headers of a suspicious email. Build the habit of routing any unexpected financial or administrative request through a human you already trust before acting on it.
Treat the Phone Number on the Message as Untrusted
Caller ID can be spoofed. The number that appears on your screen during an incoming call is not proof of who is on the line. If a caller claims to be from your bank, the tax office, the police, or any institution, the safe move is the same as for email: hang up, find the institution's published number independently, and call it back yourself.
Watch for the Long Tail
Stolen identity data does not expire. The phishing campaigns built on the ANTS dataset will not all appear next week. Some will surface in six months, when the news cycle has moved on and people are no longer paying attention. Stay vigilant beyond the immediate aftermath.
A Pattern That Keeps Repeating
Two weeks ago in this same column I wrote about the Booking.com reservation hijack, and a few days later about the Vercel breach that surfaced via a third party OAuth integration. The ANTS incident is the same story told from the government side. The trust we extend to public services is heavier than the trust we extend to a hotel booking platform, but the underlying mechanic is identical. We give our real data to one party. That party stores it on our behalf. Sooner or later, that party loses it. The data does not come back.
What changes from incident to incident is not the question of whether breaches will happen. It is the question of how quickly the people whose data was taken can adjust their behaviour to a world in which a convincing message is no longer evidence of legitimacy. That adjustment is now a permanent skill, not a temporary precaution. The faster we treat scepticism as the default mode of inbox triage, the smaller the second order damage of every breach that follows this one.
Sources and Further Reading
The official statements and operational updates are published by the French Ministry of the Interior and on the ANTS news page, including the April 24 portal maintenance notice. Reporting on the breach3d listing, the alleged 19 million record dataset, and the disclosure timeline comes from TechCrunch and TechRadar. Additional context on the data scope, scam follow up risk, and the involvement of CNIL, ANSSI, and the Paris prosecutor is covered by BleepingComputer and Help Net Security. Earlier reflections on related patterns are in the CodeHelper articles on the Booking.com reservation hijack and the Vercel breach.
Published April 2026. This is an opinion piece and analysis, not a sponsored post. CodeHelper has no commercial relationship with the institutions or companies mentioned.