sekura

France Titres breach exposes 11 million citizen records

A basic IDOR flaw in France's national identity portal gave one attacker access to 11.7 million citizens' records. What dynamic probing of the API would have surfaced.

France's official identity document portal confirmed on April 22 that unauthorized access detected a week prior had exposed records for 11.7 million citizens.

BleepingComputer reported that a threat actor using the alias "breach3d" claimed the attack on April 16, posting the dataset for sale on a criminal forum and describing the underlying vulnerability as trivial. France Titres, the government agency that issues national ID cards, passports, and driver's licenses, detected the access on April 15 and took its public portal offline on April 24. Exposed records include full names, email addresses, dates of birth, postal addresses, phone numbers, and account identifiers.

TechCrunch reported that Paris prosecutors disclosed the April 25 arrest of a 15-year-old suspect linked to the breach3d alias. The agency filed notifications with CNIL under GDPR Article 33, the Paris Prosecutor under Article 40 of the Code of Criminal Procedure, and ANSSI, France's national cybersecurity body. The threat actor claims 19 million records; France Titres has confirmed 11.7 million accounts affected. Security researchers traced the root cause to an Insecure Direct Object Reference vulnerability in the ANTS portal API. The attacker described the flaw as "really stupid."

Two things are worth pulling out of the reporting: why no scanner would have flagged this, and what the attack surface looks like from a proof-first perspective.

What scanners would have missed

IDOR vulnerabilities do not appear in CVE databases. They are behavioral flaws. No scanner ships a signature for "this API returns another user's record when you substitute their identifier." A standard scanning stack applied to this portal would have found:

  1. SAST scans source code for injection patterns and hardcoded credentials. IDOR is not a code pattern. It is a missing authorization check at the object level, which does not surface in static analysis.
  2. SCA checks dependencies for known CVEs. There is no CVE for the design decision to return user A's record when user B's session requests it.
  3. DAST fuzzes endpoints for injection and authentication bypass. Most DAST tools do not systematically enumerate object identifiers across two authenticated sessions to test whether cross-account retrieval is possible.

CVSS compounds the gap. An IDOR on an authenticated endpoint scores low on access vector because authentication is required. Whether one authenticated session can reach one record or 11 million is not a CVSS dimension. The scope question, which determines actual impact, goes unmeasured.

The attacker's "really stupid" characterization is a technical claim: the identifiers were predictable, the endpoint had no ownership check, and nothing flagged the access pattern. That is a finding any test that asks "can session A retrieve session B's data?" would have produced.

What Sekura would have shown

Phase 3 in Sekura's pipeline is dynamic probing. The agent sends structured requests against each discovered API endpoint, varying parameters to surface behavioral anomalies.

For a citizen-facing portal, the agent would have provisioned test credentials for two distinct accounts, then:

  1. Authenticate as account A and record the citizen identifier returned in session context.
  2. Authenticate as account B and issue a record retrieval request substituting account A's identifier.
  3. Compare the response. Cross-account data returned confirms the IDOR.
sequenceDiagram participant Agent as Sekura Dynamic Probe participant API as France Titres Portal API participant DB as Citizen Record Store Agent->>API: authenticate as account A API-->>Agent: session token A, citizen_id=1001 Agent->>API: authenticate as account B API-->>Agent: session token B, citizen_id=1002 Agent->>API: GET /citizen/records/1001 using token B API->>DB: SELECT WHERE citizen_id=1001 DB-->>API: account A full record API-->>Agent: 200 OK, account A data returned

The finding would read: authenticated API requests for citizen records do not verify that the requested identifier belongs to the authenticated session. Any valid credential can retrieve any citizen's record by enumerating the identifier space. The proof artifact is a demonstrated cross-account retrieval showing the exact fields accessible.

We would report this as a confirmed finding, not a theoretical risk. The proof is the retrieval.

I think this is one of the most under-tested vulnerability classes in production systems. Applications often have strong session-level authentication and no object-level authorization. Those are different controls. Passing the first does not guarantee the second exists.

The bigger pattern

IDOR falls under Broken Access Control, OWASP's top-ranked web application vulnerability class since 2021. The France Titres case puts numbers on what that ranking means: one attacker, no CVE, no exploit kit, 11.7 million records reachable through a single authenticated session pattern.

Government identity data carries a different risk profile than leaked payment cards. National IDs, passport numbers, and dates of birth do not expire after a breach. The fraud and phishing surface this dataset creates will remain active long after the portal reopens.

I think the industry is in a period where authentication has hardened faster than authorization testing has expanded. Logging in is harder to bypass than it was five years ago. What you can reach after logging in, across other users' records, is tested inconsistently. The France Titres case is what that gap looks like at government scale.

If you want to see what proof-first API testing looks like on your own attack surface, see how we compare to traditional scanners.