Leak at Resana
On 18 November 2025, users of Resana — France's interministerial collaborative platform run by DINUM — were notified of a data exfiltration after attackers logged in with a compromised account. Up to roughly one million public agents were potentially exposed, triggering ransom emails to civil servants.
- Victim
- Resana
On 18 November 2025, Resana — the interministerial collaborative platform operated by France's Direction Interministérielle du Numérique (DINUM) and used across government ministries as a shared document store, often described as "a Google Drive for civil servants" — notified its users that data had been exfiltrated. The disclosure came as attackers began sending extortion emails directly to French state agents and civil servants.
According to DINUM, the breach did not stem from a flaw in Resana's infrastructure but from the use of legitimate credentials: the attackers logged into a compromised user account rather than exploiting a technical vulnerability. The platform reportedly lacked multi-factor authentication at the time, allowing a single set of credentials to reach data tied to a very large population of public agents.
The exposed data included:
- Full names
- Professional email addresses
- Personal and professional phone numbers
- Organisation / ministry affiliation
- Professional status and related details
The attackers claimed more than one million agents were affected and demanded a ransom of around 17,000 euros, though DINUM has not officially confirmed the volume or exact nature of the documents involved. The incident has been linked to two French actors using the handles "HexDex" and "Angel_Batista." The ministry's cyber-defence services were involved in the response, and authorities urged all personnel to change their professional passwords, enable MFA where available, and stay alert to ransom emails and phishing attempts. As of disclosure the scope assessment was still ongoing.
Sources
- numerama.comhttps://www.numerama.com/cyberguerre/2120401-chantage-en-cours-sur-des-agents-et-fonctionnaires-de-letat-francais-des-hackers-ont-exfiltre-des-donnees-dune-plateforme-interministerielle.html
- franceinfo.frhttps://www.franceinfo.fr/internet/securite-sur-internet/cyberattaques/enquete-francetv-comment-deux-piratages-ont-permis-la-fuite-de-donnees-sensibles-sur-des-hauts-fonctionnaires-et-le-vol-d-armes-a-feu-dans-des-cambriolages_7641599.html
- lejournaleconomique.comhttps://www.lejournaleconomique.com/2025/11/20/des-hackers-exfiltrent-des-donnees-sensibles-chantage-sur-des-agents-et-fonctionnaires-de-letat-francais/
- lynxintel.iohttps://lynxintel.io/fr/resana-une-faille-dans-les-donnees-du-gouvernement-francais/