France's ANTS (Agence nationale des titres sécurisés / France Titres), the Interior-Ministry body managing ID cards, passports, driver's licences and immigration documents, detected a security incident around 15 April 2026 on its ants.gouv.fr portal. ANTS confirmed about 11.7 million accounts were impacted (a threat actor claimed up to 19 million). Exposed data reportedly included full names, contact details, dates of birth, home addresses and civil-status information. Researchers traced it to a basic Insecure Direct Object Reference (IDOR) flaw in the ANTS API; ANTS notified the CNIL, ANSSI and the Paris prosecutor. We explain IDOR in plain terms and the identity-theft risk.

Building or running citizen-facing portals and APIs? Visit  ...