France confirms cyberattack on Ministry of Interior, hackers claim 16M individuals exposed

Attackers claim the “major data breach” involves sensitive data from several sensitive systems controlled by the French Ministry of the Interior. The ministry has confirmed that it suffered a cyberattack, but has not shared how many individuals may have been exposed.

The post announcing the attack appeared on Breachforums, a resurrected data leak website, earlier this week. Attackers boasted of accessing Frances’ Ministry of Interior (Beauvau) and plundering numerous governmental systems containing sensitive data.

The message was intended to signify the return of the infamous Breachforums website, which had been taken down by authorities and brought back by attackers so many times that it’s easy to lose count.

Meanwhile, the group behind the alleged hack explained that the attack is a form of revenge for authorities arresting members of the “ShinnyHunters/hollow” cybergang. The breach, the attackers want us to believe, exposed information on over 16.4 million French individuals, or nearly a quarter of the total population of France.

The Ministry confirmed to Cybernews that it had suffered a “malicious intrusion” which is now being handled "at the highest level." According to Beauvau, initial technical investigation revealed that attackers were able to view a limited number of professional email accounts."

Meanwhile, Le Figaro reported that the initial investigation by French authorities revealed that hackers likely obtained credentials that allowed them to access the ministry’s applications. According to reports, attackers likely obtained passwords after employees shared them in plain text via email.

“Some identification elements were thus recovered via the email accounts, granting access to business applications. Analyses are ongoing to determine precisely the scope, nature, and volume of the data affected, and especially which data was compromised,” the Ministry told Cybernews.

However, at this stage it is still unclear what type of data attackers managed to access or if they were able to syphon any details. The Ministry said it is aware of the post on Breachforums and its claims are being investigated.

“All necessary measures are being taken to thwart this intrusion and strengthen the overall security of the ministry's information systems. The judicial investigation is ongoing in order to identify the perpetrator as quickly as possible and bring them to justice,” the Ministry said.

“There are 300,000 staff members at the Interior Ministry. From certain professional inboxes attackers were able to recover access codes that were exchanged in plain text, despite all the safety rules that we very regularly circulate,”

France’s Minister of the Interior said.

Earlier today, France’s Minister of the Interior, Laurent Nuñez, confirmed to French media that the Criminal Records Processing System (TAJ) and the Wanted Persons File (FPR) were among the databases accessed, which contain “important” documents.

“We don't yet know the extent of the breach, we don't know what was extracted: to date, a few dozen files have been removed from the system, but we're talking about millions of data points,” Nuñez told French is quoted by L’Alsace.

The Ministry shared with Cybernews a transcript of the Nuñez interview in which the minister explained that the attacker's claims about accessing millions of records that could expose millions of French citizens, to the best of Nuñez’s knowledge, are false.

“There are 300,000 staff members at the Interior Ministry. From certain professional inboxes, attackers were able to recover access codes that were exchanged in plain text, despite all the safety rules that we very regularly circulate,” Nuñez said.

The minister said that despite what's said on Breachforums, the government did not receive any ransom demands. Pressed about how the data breach would impact the Ministry if stolen details were leaked, Nuñez explained that he is worried about that possibility.

“The flip side of being allowed to process this type of data is that we must guarantee the highest possible level of protection. In this instance, there was an intrusion, so that obligation was not fully met. I regard this as a serious incident – let me be clear, it is very serious. As for whether it will undermine ongoing investigations, I cannot say at this stage. I don’t think so, but I have no certainty,” the minister explained.

“I regard this as a serious incident; let me be clear, it is very serious.”

the minister explained.

Beauvau data breach: what are attackers claiming?

Initially, attackers went on to say the hack involves information on millions of French citizens. Additionally, attackers claimed to have accessed TAJ, FRP, as well as Interpol-related systems, along with datasets involving Beauvau’s financials and pension schemes.

While the attackers did not specify what type of data may have been exposed, the allegedly accessed dataset most likely holds vast amounts of sensitive details, ranging from personally identifiable information (PII) to criminal records and confidential case details. Ministry employees, including officers, may have also been affected.

La base de données du ministère de l'intérieur contenant les informations personnelles de tous les suspects et victimes de toutes les procédures judiciaires en cours et passées a bel et bien été intégralement piratée.

C'est une catastrophe d'ampleur historique. https://t.co/FA3qR5Rdu8 pic.twitter.com/F74AFucNSE

undefined Juan Branco ✊ (@anatolium) December 17, 2025

Other reports indicate that the 16 million individuals allegedly exposed in the data breach are suspects and victims from all ongoing and past judicial proceedings. If confirmed, the attack could have long-lasting ramifications as vast quantities of sensitive data could be used by foreign governments and criminal organizations.

Interestingly, the alleged “revenge” attack against fallen cyber brethren involves monetary demands as attackers gave the French government one week to pay for the stolen data, which would be “deleted” after payment. Otherwise, attackers promised to sell the details to other cybercriminals.

The message was later removed from Breachforums, as the website was decorated with an “under maintenance” banner. According to the attackers, they were forced to take down the forum over a wave of DDoS attacks.

Cybercrooks also revealed they accessed Beauvau via the CHEOPS portal, a system the authorities use to communicate with each other.

🔴🇫🇷 ALERTE INFO | Les hackers qui prétendent avoir piraté le ministère de l’Intérieur réaffirment donner un ultimatum à l’État français. Si celui-ci ne négocie pas, ils menacent de vendre ou faire fuiter les prétendues données volées.

Leur message :

undefinedBonjour à tous,

Nous nous… pic.twitter.com/cq85hvgDJo

undefined Aurea (@AureaLibe) December 15, 2025

However, not all are convinced that the attackers actually obtained sensitive information. Baptiste Robert, a French security researcher and the CEO of cybersecurity firm Predicta Labs, noted that despite the bold claims, attackers still haven’t provided any data sample to support them.

Attackers uploaded a screenshot of the CHEOPS portal’s landing page with “WE ARE STILL HERE” written in the place where a user's password should go. One blurred-out ID card is also visible, hinting that the attackers may have accessed ID documents of some police officers.

À l’heure actuelle, je reste sur cette analyse :

- OUI, il a compromis un poste lui donnant un accès au réseau interne du ministère.
- OUI, il a accédé, le terme est important, à des données.
- NON, il n’y a aucune preuve d’exfiltration de données à ce stade.

Il y a bien une… https://t.co/v4jMTftjH1

undefined Baptiste Robert (@fs0c131y) December 17, 2025

“Guys, you didn't even take a screenshot of yourselves authenticated on the portal? Is that all you've got to show?” Robert noted on X in a post in French.

In a later post, the security researcher noted that although a significant data breach occurred, there is currently no indication that attackers have managed to exfiltrate large amounts of personal and sensitive data.

“Sample, or it didn’t exist, bro,” Robert scoffed at the attackers.

The original post at the resurrected Breachforums included a total of three redacted screenshots. One supposedly showed the number of exposed individuals, while two other were supposed to show that attackers got their hands on PII.

Attackers explained that they don't want post samples from TAJ as they are waiting for the French authorities to react to hacker demands.

The overall modus operandi is quite uncommon. Take ransomware gangs, malicious groups whose entire existence is based on successful threat campaigns. These types of malicious actors typically provide raw proof of a data breach, which often which often is meant to serve as scare tactic to coax victims into paying the ranson.

Past French data breaches

The French Ministry of Interior cyberattack is hardly the first major data security incident the country was forced to grapple with. Last year, Cybernews researchers uncovered an exposed instance with over 95 million records, compiling known and unknown data breaches from past attacks.

Meanwhile, this May, Stormous ransomware cartel posted a large dataset on its dark web blog, which supposedly contained multiple emails and passwords attributed to numerous France-based organizations and institutions.

Being a large and wealthy country, France is often the target of cybercriminals. Just this year attackers targeted the country's flagship carrier Air France, the prestigious French school Sorbonne Université, as well as the French Football Federation.

Updated on December 17th [02:40 p.m. GMT] with a statement from France's Ministry of Interior.

---

Unlock more exclusive Cybernews content on YouTube.