The FICOBA Breach: 1.2 Million French Bank Accounts Exposed via Credential Theft
By: Nandhana .M| February 23, 2026
In a major blow to French national financial security, the Ministry of Economy and Finance has confirmed that a "malicious actor" successfully breached FICOBA, the national registry of bank accounts. The incident, disclosed in detail late last week and over the weekend, has exposed the sensitive financial data of approximately 1.2 million account holders.
This breach highlights a growing trend in 2026: attackers are increasingly abandoning complex zero-days in favor of high-value credential theft to masquerade as trusted insiders.
The Attack Vector: Stolen Identity, Not Broken Code
The breach was not the result of a software vulnerability. Instead, the attacker utilized stolen credentials belonging to a civil servant authorized to use the interministerial information exchange platform.
By impersonating a legitimate official, the threat actor was able to query the FICOBA database—which contains records for over 80 million individuals—without triggering immediate alarms. The unauthorized activity began in late January 2026 and was only recently detected through internal audit controls.
What Data Was Exposed?
FICOBA (Fichier National des Comptes Bancaires) is the central ledger that lists every bank account opened in France. The stolen data includes:
- Account Holder Identities: Full names and physical addresses.
- Bank Identifiers: IBAN and RIB (Relevé d'Identité Bancaire) numbers.
- Tax Identifiers: In many cases, the individual’s tax identification number (issued by the DGFiP).
Crucially, the authorities have stated that the breach did not provide access to account balances or transaction histories, nor can it be used to initiate direct transfers.
The Risk: SEPA Mandate Forgery and Social Engineering
While hackers cannot "drain" the accounts directly, the French Banking Federation (FBF) warned that the stolen IBANs and personal details provide the perfect foundation for Direct Debit Fraud.
Attackers can pose as legitimate creditors (such as utility companies or government services) to request direct debit payments. Furthermore, the combination of tax IDs and bank details allows for highly sophisticated social engineering, where fraudsters impersonate bank officials to trick victims into revealing their MFA codes or passwords.
The Hacklido Takeaway
For the researchers at Hacklido, the FICOBA incident is a textbook example of Identity-Based Perimeter Failure.
- Privileged Access Management (PAM): Why was a single civil servant's credential capable of querying over a million records without an MFA challenge or an anomaly alert?
- Blast Radius: In modern infrastructure, "interministerial exchange" often creates a wide, interconnected attack surface. A breach in one department (Internal Affairs) can quickly pivot to the most sensitive data in another (Finance).
Immediate Advice for Users:
- Monitor Transactions: Check your bank statements weekly. Under EU law, you have 8 weeks to dispute a fraudulent direct debit.
- Beware of "Official" SMS: The DGFiP has warned that they will never ask for your login or card number via SMS.
Assume Public PII: With 1.2 million records leaked, assume your IBAN is public. Ensure your bank uses "Out-of-Band" authentication (like a hardware token or dedicated app) for any new payment mandates.
Stay ahead. Stay dangerous.
Team Hacklido ❤️
Join our Community – https://t.me/hacklido
