A Single Stolen Password Exposed 1.2 Million French Bank Accounts

What Was Breached

In late January 2026, an attacker gained access to FICOBA, France's national bank account registry managed by the Direction Generale des Finances Publiques (DGFiP). FICOBA lists every bank account opened in French banking institutions and serves as a critical database for tax collection and financial oversight.

The Ministry of the Economy and Finance disclosed the breach on February 19, confirming that information tied to 1.2 million bank accounts had been accessed. The breach was not the result of a sophisticated cyberattack. It was the consequence of a single stolen password and the absence of a basic security measure.

How One Password Opened the Door

The attacker used stolen credentials belonging to a single government official to log into the FICOBA system. The critical failure was that the system lacked multi factor authentication (MFA), the standard security practice of requiring a second verification step beyond a password, such as a code sent to a phone or a hardware security key.

Without MFA, a stolen password was all that was needed to access a database containing financial records for more than a million people. This is the kind of vulnerability that security professionals consider inexcusable for any system, let alone a national financial registry.

How the official's credentials were stolen has not been publicly confirmed, but common methods include phishing emails, credential stuffing from previously leaked password databases, or infostealer malware that captures login details from infected devices.

What Data Was Exposed

The FICOBA registry contains detailed financial information for every bank account in France. According to the French Banking Federation, the compromised data includes:

• Account numbers (IBANs): The international bank account numbers used for transactions across Europe
• Full names: The legal names of account holders
• Addresses: Physical addresses associated with each account
• Tax identification numbers: Unique identifiers used for tax reporting
• Dates and places of birth: Personal identity information sufficient for impersonation

The DGFiP noted that the breach did not allow the attacker to view account balances or initiate transactions. But the exposed data creates significant secondary risks.

The Fraud and Phishing Risk

While the attacker could not directly access money through FICOBA, the combination of IBANs, names, addresses, and tax IDs gives fraudsters everything they need for convincing impersonation. Authorities have warned that the exposed data could enable:

• Direct debit fraud: Fraudsters registered as authorized debit issuers could forge debit mandates and request payments from exposed IBANs
• Targeted phishing: Emails or calls referencing real account details, tax IDs, and addresses are far more convincing than generic scams
• Identity theft: The combination of name, date of birth, place of birth, address, and tax ID is sufficient to impersonate someone for financial applications

Affected individuals will be notified directly, and banks have been alerted to watch for suspicious activity. But the data is already out, and the window for exploitation is open.

Why Basic Security Still Fails

The FICOBA breach is a case study in how the simplest security failures cause the largest damage. Multi factor authentication has been a standard recommendation for over a decade. Major cloud providers, email services, and financial platforms all offer or require it. A national bank account registry operating without MFA in 2026 is a systemic governance failure.

France has faced a string of data breaches affecting government systems. In 2024, France Travail, the national employment agency, was breached and exposing data on 43 million citizens. The CNIL fined it 5 million euros. The FICOBA breach follows the same pattern: critical infrastructure protected by outdated security practices.

The lesson extends beyond France. Any system that relies on passwords alone is one phishing email away from a breach. MFA is not optional. It is the minimum acceptable security for any database containing personal information.

How to Protect Yourself

If you hold a bank account in France, take these steps immediately:

• Watch for unexpected direct debit charges on your accounts and report any unauthorized transactions to your bank immediately
• Be suspicious of emails or calls that reference your IBAN, tax ID, or account details. Legitimate institutions will not ask you to verify this information through unsolicited contact
• Enable notifications for all account activity so you are alerted to any transactions in real time
• Consider placing fraud alerts with French credit reporting agencies
• Enable MFA on every account you own. If this breach proves anything, it is that a password alone is never enough