French Interior Ministry Email Server Breach and Potential Abuse
Hackers breached the email servers of the French Ministry of the Interior, as confirmed by Interior Minister Laurent Nunez. The attack, detected between December 11 and 12, allowed threat actors to access certain document files, though there is no current evidence of serious data compromise. In response, the ministry has tightened security measures and reinforced access controls for all agents, while an investigation is underway to determine the origin and scope of the breach. Authorities are considering various scenarios, including foreign interference, hacktivism, or cybercrime, and have not yet released technical details about the attack.
Following the breach, there are indications that emails sent from the French Ministry of the Interior's domain were used to announce the reopening of BreachForums, a notorious cybercriminal marketplace. This suggests that the attackers may have leveraged their access to the ministry's email infrastructure for further malicious activity, potentially as part of a hacker honeypot or to lend credibility to their communications. The incident highlights the risks associated with compromised government email systems and the potential for such breaches to be exploited in broader cybercriminal operations.
Timeline
Dec 17, 2025
France arrests 22-year-old suspect over ministry hack
French authorities arrested a 22-year-old suspect on December 17, 2025, in connection with the cyberattack on the Interior Ministry. The investigation, led by the Office for Combating Cybercrime, remained ongoing as officials worked to determine whether others were involved and to verify the attackers' claims.
Dec 17, 2025
Emails from ministry domain announce BreachForums relaunch
BreachForums' reopening was announced through emails sent from the French Interior Ministry's domain, raising concerns that the government email infrastructure had been compromised or abused for spoofing. The messages linked the ministry breach to the cybercriminal forum's return.
Dec 16, 2025
Ministry imposes emergency security measures after breach
The Interior Ministry tightened security controls in response to the incident, including password changes, reinforced access restrictions, and deployment of two-factor authentication. Officials said the attack was being handled with the highest level of vigilance because of the sensitivity of the affected systems.
Dec 16, 2025
French authorities open technical, judicial, and administrative probes
Following discovery and publicization of the breach, the ministry's cybersecurity center, ANSSI, and judicial authorities began investigations to determine the origin, scope, and impact of the intrusion. A data breach notification was also filed with France's data protection regulator, CNIL.
Dec 16, 2025
BreachForums actor publicizes breach and claims responsibility
A user tied to the relaunched BreachForums forum claimed responsibility for the Interior Ministry hack, posted screenshots as alleged proof, and asserted the breach was retaliation for prior arrests of forum members. The actor also claimed access to highly sensitive French law enforcement data, though authorities did not verify those claims.
Dec 12, 2025
Attackers access confidential ministry documents
During the intrusion, attackers accessed dozens of confidential documents and may have used compromised email accounts to reach internal business applications. Officials said there was no confirmed evidence at that stage of major data theft or a ransom demand.
Dec 11, 2025
Interior Ministry detects cyberattack on email servers
France's Ministry of the Interior detected a cyberattack affecting its internal email infrastructure between December 11 and 12, 2025. Attackers gained unauthorized access to several ministry email accounts and some document files.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
1 more from sources like securityaffairs
Related Stories
Cyberattack on French Interior Ministry Email Servers
The French Interior Ministry confirmed a cyberattack that compromised its email servers, allowing attackers to access certain document files. In response, the ministry implemented enhanced security protocols and access controls, while an investigation was launched to determine the origin and scope of the breach. Authorities have not yet confirmed whether any data was stolen, and are considering multiple possible motives, including foreign interference, hacktivism, or cybercrime. The Interior Ministry, which oversees police, internal security, and immigration, is considered a high-value target for both state-sponsored and criminal actors. The incident was reported in several news roundups, highlighting its significance within the broader context of European cybersecurity threats. While attribution has not been established for this specific attack, previous campaigns against French government entities have been linked to Russian state-sponsored groups such as APT28. The breach underscores ongoing concerns about the vulnerability of critical government infrastructure to sophisticated cyber threats and the need for robust incident response and investigation procedures.
1 months ago
French Education Breaches Expose Data on 1.7 Million People
French education authorities disclosed two significant breaches affecting both public and Catholic school administration systems. The Ministry of National Education said its `Compass` platform, used to manage trainee teachers in primary and secondary education, was compromised after a user reportedly opened a fraudulent email attachment and had credentials stolen. The incident exposed data on about **243,000 people**, including identity and contact details, absence periods, and the identities and professional phone numbers of tutors, though the ministry said no health data was involved. ANSSI was brought in, a crisis cell was opened, and the ministry announced a security plan centered on **multi-factor authentication**, stronger data segmentation, and reduced application exposure. Separately, the Secrétariat général de l’enseignement catholique reported a cyberattack on its management application for nursery and elementary schools that affected about **1.5 million people**. Unauthorized access exposed identification data for application users and contact information for students, families, and teachers, including names, postal and email addresses, phone numbers, and dates of birth, increasing the risk of phishing. The organization said it secured access, suspended affected services, notified authorities including the French Ministry of Education, and engaged specialist responders, while a forum user calling themselves **"Ryolait"** allegedly offered the stolen database for sale starting at **$2,000**. The incidents add to mounting concern over weak security in the education sector, which ANSSI has described as a frequent target of opportunistic attacks.
1 months ago
Cyberattack on France’s ANTS portal may have exposed identity document user data
France’s Interior Ministry disclosed a cyberattack on the National Agency for Secure Documents (**ANTS**) portal, `ants.gouv.fr`, the government platform used to manage passport, national ID card, residence permit, and driver’s license applications. Detected on April 15, the incident may have exposed personal data tied to individual and professional accounts, including login identifiers, names, email addresses, dates of birth, and account IDs, with some records also potentially containing postal addresses, places of birth, and phone numbers. Officials said uploaded administrative documents were not compromised and that the exposed data cannot be used to directly access ANTS accounts. French authorities reported the breach to **CNIL**, notified prosecutors, and alerted the national cybersecurity agency as investigators work to determine the scope, origin, and impact of the intrusion. The number of affected users has not been disclosed, but impacted individuals are being notified and urged to watch for suspicious messages. Separately, an unverified threat actor has claimed to be selling a dataset allegedly stolen from ANTS containing roughly **18–19 million** records, heightening concerns over identity theft and fraud if the claim is confirmed.
2 days ago