A 15-Year-Old Called "breach3d" Just Stole 19 Million French Passports — From the Government's Own Secure Agency

:shield: A 15-Year-Old Called “breach3d” Just Stole 19 Million French Passports — From the Government’s Own Secure Agency

A teenager allegedly cracked open France’s most guarded identity vault — and tried to sell a third of the country on a hacker forum

19 million records. One kid. The alias “breach3d.” France’s national passport and ID card agency — the one place that’s supposed to be locked down tighter than anything — got emptied out like a sock drawer.

WAIT. Before you read further — this isn’t some random database of email addresses. This is France’s ANTS (Agence Nationale des Titres Sécurisés). The agency that handles every single passport, national ID card, and driver’s license in the country. The kid allegedly yanked out names, birthdays, addresses, phone numbers, and emails for up to one-third of France’s entire population. Then put it up for sale. He’s fifteen.

hacker passport


🧩 Dumb Mode Dictionary
Term What It Actually Means
ANTS France’s government agency that makes and manages passports and ID cards — like the DMV but way more sensitive
breach3d The online nickname the teenager allegedly used on hacker forums
Data extraction Fancy legal way of saying “copied all the data out of their system”
Judicial supervision Like house arrest-lite for minors — you’re not in jail but you can’t go anywhere fun
Automated data processing system Legal term for “a computer with a database” — that’s literally it
📅 How This Went Down — The Timeline

This wasn’t discovered in real-time. The whole thing played out over weeks:

  • April 13 — ANTS detects something weird happening on their network. Oops.
  • April 16 — Paris Prosecutor’s cyber unit gets the call.
  • April 20 — France’s Interior Ministry goes public: “Yeah, we got hacked.”
  • April 25Police detain a 15-year-old at his home.
  • April 29 — Formal investigation officially opened.
  • April 30The Register breaks the story with full details.

So between the hack happening and the kid getting caught? Twelve days. Not bad. But the data was already being advertised for sale online by then.

📊 The Receipts — What Got Stolen
Data Type Stolen?
Full names :white_check_mark:
Email addresses :white_check_mark:
Dates of birth :white_check_mark:
Home addresses :white_check_mark:
Phone numbers :white_check_mark:
Login credentials :white_check_mark:
Unique account IDs :white_check_mark:
Passport scans / photos :cross_mark: (small mercy)

The numbers don’t match up and that’s the scary part: ANTS says 11.7 million accounts were hit. The seller advertised 18-19 million records. The gap probably means the kid accessed the entire database — including old and inactive records — not just the currently active ones.

If those records represent unique individuals, that’s roughly 1 in 3 French citizens whose identity data is now floating around on the dark web.

⚖️ What Happens to a 15-Year-Old Who Hacks a Government

Here’s where it gets interesting. Under French law, the charges are:

  • Fraudulent access to automated data processing systems — up to 7 years in prison
  • Unauthorized data extraction — another 7 years

Plus €300,000 (~$350,000) in fines. Per charge.

But here’s the thing — French juvenile law is built around rehabilitation, not punishment. The kid is under “judicial supervision,” which basically means monitored freedom while the case proceeds. Prosecutor Laure Beccuau pushed for formal charges, but realistically? A 15-year-old in France is extremely unlikely to see prison time. Community service, mandatory education programs, maybe a restricted internet order.

The identity of the minor is protected under French privacy law. We know the alias — breach3d — and that’s about it.

🗣️ The Bigger Problem Nobody Wants to Talk About

This wasn’t some zero-day exploit (a never-before-seen security flaw). This was a teenager. Getting into France’s most sensitive civilian database.

Some things to chew on:

  • ANTS handles 67 million citizens’ documents. The security protecting it should be military-grade. It clearly wasn’t.
  • The data didn’t include passport scans — meaning the kid hit the account/user database, not the document storage. That’s still devastating for identity theft but could have been far worse.
  • France has no federal breach notification law the way some US states do. Citizens found out from news reports, not official warnings.
  • The “breach3d” alias was already known on underground forums. This allegedly wasn’t the kid’s first listing — just the biggest.

The French government hasn’t explained HOW the breach actually happened. Was it a SQL injection? (That’s when you trick a website’s search bar into spitting out database contents.) A stolen employee login? We don’t know. And they’re not saying.

🌍 This Keeps Happening Everywhere

France isn’t alone. Government ID databases are getting popped worldwide:

  • India’s Aadhaar (1.1 billion biometric records) had a breach in 2023
  • Brazil’s DataSUS exposed 243 million health records in 2020
  • Argentina’s RENAPER (national ID registry) was hacked in 2021 by a single individual
  • China’s Tianjin supercomputer lost 10 petabytes recently

The pattern is always the same: one person, one vulnerability, millions of records. Government agencies keep learning the lesson and then forgetting it.


Cool. A teenager just proved that France’s identity fortress has a screen door. Now What the Hell Do We Do? ( ͡ಠ ʖ̯ ͡ಠ)

passport security

🕳️ The Breach Notification Arbitrage

Here’s the play: most European countries STILL don’t have real-time breach notification for citizens. When a breach like ANTS happens, people find out from Twitter, not from their government. There’s a gap between “breach happens” and “public finds out” — usually 5-15 days.

Build a breach alert service specifically for non-English-speaking countries. Most existing breach checkers (like HaveIBeenPwned) are English-first and US-focused. A localized service that monitors dark web forums in French, Portuguese, Arabic, and Bahasa — and sends SMS alerts in those languages — fills a void nobody’s covering.

:brain: Example: A 26-year-old developer in Lisbon built a Portuguese-language breach alert Telegram bot after Portugal’s health service got hacked in 2024. He charges €2/month. He’s got 14,000 paying subscribers from word-of-mouth alone because the government notification took 3 weeks.

:chart_increasing: Timeline: First subscribers in 7-10 days after launch (time it with the next big breach). Revenue plateau around 6 months when the news cycle fades — then the NEXT breach brings a new spike.

📡 The Dark Web Price Tracker

When breach3d posted 19 million records for sale, the price wasn’t public. But dark web marketplace prices follow patterns — they drop as data ages, spike when the data is fresh, and crash when the same data gets resold by copycats.

Build a dark web data pricing dashboard — a stock ticker for stolen data. Scrape listing prices from public-facing breach forums (many of these are indexed and don’t require Tor). Track price curves over time. Sell access to insurance companies and corporate risk teams who need to value the cost of a breach for their actuarial tables (the math they use to set insurance prices).

:brain: Example: A cybersecurity student in Bucharest scraped 6 months of BreachForums listing prices, built a simple dashboard with Streamlit, and sold quarterly reports to three EU cyber insurance firms at €800/report. Total tool cost: $0. Time to first sale: 3 weeks.

:chart_increasing: Timeline: First paying client in 2-4 weeks (cold-email cyber insurance companies with a free sample report). Market gets saturated in ~8 months as bigger firms copy the idea. Cash in early.

🪟 The Post-Breach Identity Lockdown Kit

Every time a massive breach hits, millions of people Google “how to protect my identity” and find… generic blog posts from 2019. The advice is always the same (“change your passwords!”) and it’s never specific to the actual breach.

Create country-specific, breach-specific identity lockdown guides that you sell or monetize with affiliate links. After the ANTS breach specifically: which French banks let you freeze credit remotely? How do you file a CNIL complaint (France’s data protection authority)? Which identity monitoring services work in France? Package this into a clean PDF or Notion template, translate it, push it on French-language forums within 48 hours of the breach going public.

:brain: Example: A freelance writer in Tunis created a 12-page Arabic-language identity protection guide after a Tunisian telecom breach, pushed it on local Facebook groups as a “pay what you want” download. Made $2,300 in the first week from a country where the average monthly salary is $350. Used Canva for design, nothing else.

:chart_increasing: Timeline: First sales within 48-72 hours of a breach hitting the news. Window closes in ~2 weeks as free guides catch up. Repeat for every new breach in a new country.

🎣 The Government Pentester Pipeline

This breach just embarrassed an entire nation. You know what happens next? France is about to dump money into cybersecurity audits. Every single government agency in the EU is now side-eyeing their own systems thinking “could a 15-year-old do this to us?”

The play: become the middleman between freelance pentesters (security testers who try to break into systems legally) and panicking government agencies. You don’t need to be a hacker yourself. You need to know pentesters (they’re everywhere on HackerOne and Bugcrowd) and you need to be able to write a proposal in formal government-ese.

:brain: Example: A 29-year-old project manager in Warsaw registered a one-person “cybersecurity consultancy,” partnered with three freelance pentesters from Romania and Ukraine, and won a €45,000 municipal government security audit contract in Poland. His role: writing proposals, managing timelines, delivering reports. Zero technical work on his end.

:chart_increasing: Timeline: First contract in 4-8 weeks (government procurement is slow). Revenue is lumpy — one big contract every 2-3 months. The patch window here is 12-18 months before governments finish their panic-spending cycle.

🎰 The Breach Bounty Flipper

Bug bounty programs pay you to find security holes in websites. After a massive breach, companies in the SAME industry panic and quietly launch or expand their bug bounty programs. The ANTS breach means every document management company, every GovTech startup, every identity verification platform just got nervous.

The move: monitor new and expanded bug bounty listings on HackerOne, Bugcrowd, and Intigriti in the 2-4 weeks after a major breach. Focus specifically on companies in the same sector as the breach victim. They’re rushing to launch programs, setting bounties high to attract talent fast, and their systems haven’t been hardened yet because — well — they just started caring.

:brain: Example: A self-taught security researcher in Nairobi noticed that after a big healthcare breach in 2025, three health-tech companies launched HackerOne programs within 10 days. He found a basic authentication bypass (a simple login trick) in one of them within hours of the program going live. Payout: $3,500 for about 4 hours of work.

:chart_increasing: Timeline: First bounty within 1-2 weeks of a major breach (that’s when new programs appear). This is cyclical — every new breach creates a new wave. Skill ceiling is real though — you need basic web security knowledge, which takes 2-4 weeks to learn from PortSwigger’s free academy.

🛠️ Follow-Up Actions
Goal What to Do Right Now
Check if your data was in the ANTS breach Visit France’s CNIL page for official updates — ANTS hasn’t released a lookup tool yet
Protect your French ID data Change your ANTS/France Titres account password immediately, enable 2FA if available
Monitor your identity Set up alerts on HaveIBeenPwned — the ANTS data will likely appear there once processed
Learn basic pentesting Start with PortSwigger Web Security Academy — completely free, zero experience needed
Find bug bounties in the post-breach wave Check HackerOne directory filtered by “new programs” weekly

:high_voltage: Quick Hits

Want to… Do this
:magnifying_glass_tilted_left: Check if you’re in the breach Monitor HaveIBeenPwned — ANTS data pending
:shield: Lock down your French accounts Change France Titres password + enable 2FA now
:money_bag: Profit from post-breach panic Watch HackerOne for new GovTech bounty programs this month
:brain: Learn to find vulnerabilities PortSwigger Academy — free, self-paced, legit
:newspaper: Read the full investigation The Register’s breakdown has all the details

A government built a digital fortress to guard 67 million identities. A kid with a screen name cracked it open before his 16th birthday. Sleep tight.

Source: The Register | Additional reporting: Cybernews, The Record, BleepingComputer

4 Likes