Hack Exposes Up to 19 Million Accounts on France’s ID Portal, Fueling a New Wave of Scams

France’s main online gateway for passports, national ID cards, driver’s licenses, and vehicle registrations has been hit by a cyber intrusion that may have exposed personal data tied to as many as 19 million user profiles.

The breach, detected April 15 and disclosed days later, targets ANTS, the French government platform now branded “France Titres.” Officials say the most sensitive documents people uploaded weren’t taken. But the information that may have leaked is still enough to supercharge phishing, text-message scams, and identity-based fraud aimed at ordinary citizens.

What ANTS is, and why Americans should care

ANTS (Agence nationale des titres sécurisés) is France’s one-stop digital counter for core identity paperwork. Think of it as a centralized federal portal that handles the kinds of transactions Americans might spread across the DMV, the State Department (passports), and state motor vehicle agencies.

That’s what makes this breach so unsettling: it’s not a niche site. It’s the place millions of people go when they need official documents, and when criminals want believable hooks for scams.

What data may have leaked

According to French authorities, the exposed data involves account-related personal identifiers: names, email addresses, dates of birth, and account identifiers (including a unique internal ID tied to a user profile).

In some cases, additional fields may also appear in certain accounts, such as a home address, place of birth, or phone number. That combination is prime material for targeted fraud because it lets scammers personalize messages in ways that feel “official.”

Some reporting in France also points to signs the data may have been pulled in a structured way, more like a database extraction than casual scraping, making it easier to match against other leaked datasets and build fuller identity profiles.

Officials say your uploaded documents weren’t stolen, but the risk is still real

France’s Interior Ministry has tried to reassure the public on two key points: files uploaded during applications, like scans, supporting documents, and photos, were not compromised, and the stolen data would not allow attackers to directly log into users’ ANTS accounts.

That matters. It suggests criminals didn’t walk away with a trove of passport scans or ID photos.

But it doesn’t eliminate the danger. A convincing email or text that includes your real name and birth date can be enough to trick people into handing over passwords, one-time verification codes, or payment details, especially when the message claims there’s a problem with a passport or license application.

Who could be affected, and how you’ll (really) find out

If you’ve ever used ANTS/France Titres for a passport, national ID card, driver’s license, residency permit, or vehicle registration, you could be in the affected pool. The figure cited publicly: up to 19 million profiles.

French officials say users identified as impacted will be contacted individually by email or postal mail. The problem is that the announcement itself creates perfect cover for criminals: people may start trusting messages that “sound like” government notifications because they’ve heard about the breach.

The safest approach is old-school: don’t click links in unexpected emails or texts. If you need to check your account, type the official site address into your browser yourself and navigate from there.

The scams likely to follow, and what they’ll look like

This kind of leak is a ready-made phishing kit. Expect emails claiming “your ID application is incomplete,” “your driver’s license is suspended,” or “your passport file is blocked.” The goal is to create urgency and push you to a fake login page or a payment screen.

A second wave often comes via SMS (“smishing”) and phone calls. A caller may pose as “secure documents support” and pressure you to share a code sent to your phone, codes that can unlock email accounts, banking logins, or other services unrelated to ANTS.

And then there are the small-dollar payment traps: a demand for a modest “processing fee” or “relaunch fee.” The amounts are designed to feel plausible and not worth fighting, until thousands of people pay.

What to do now

Start with your email account. If your email address is part of the leak, it’s now a bigger target. Turn on two-factor authentication wherever you can, especially for your inbox, and change any reused passwords.

Be ruthless about links. Don’t log in through a message, even if it includes personal details that look convincing. And don’t share verification codes with anyone who contacts you, legitimate agencies won’t ask for them over the phone or by email.

Finally, keep your expectations realistic: even if attackers can’t directly access ANTS accounts, the bigger threat is manipulation, getting people to hand over what the criminals couldn’t steal. And once personal data is out, it can fuel scams for months, not days.