Hackers hit France’s student aid system, exposing data on 774,000 people, some dating back a decade

A major cyberattack on France’s national student services network has exposed personal data tied to 774,000 students and former students, information that could quickly fuel targeted scams aimed at young people scrambling for housing and financial help.

French officials say the breach stems from a government appointment-booking site used to reach local offices that handle student housing and social assistance. The agency overseeing the system learned of the incident on March 23, 2026, reported it to France’s privacy regulator, and filed a criminal complaint.

The immediate worry: not just spam, but highly believable phishing emails that reference the exact reason someone contacted student services, housing, emergency aid, or other sensitive needs.

What was hacked, and why Americans should care

The compromised platform,mesrdv.etudiant.gouv.fr, is France’s centralized scheduling tool for the Crous network, regional offices that function a bit like a combined campus housing authority and student support agency. The national body that oversees Crous, known as the Cnous, said the stolen data covers appointments made over the last 10 years.

That long window matters. It means the breach doesn’t just hit current students; it can also reach people who graduated years ago but once used the system for housing or social support.

Cnous put the number of affected people at 774,000. Higher figures circulated online, but officials say some of those estimates likely confused the number of appointments or database records with the number of unique individuals.

Two tiers of exposure: basic appointment data vs. uploaded documents

According to Cnous, about 635,000 people had “limited” data exposed: first and last name, email address, and the subject and date of an appointment. Even without Social Security-style ID numbers or bank details, that’s enough to craft convincing messages that look official.

A more serious category involves roughly 139,000 people whose uploaded attachments were allegedly exfiltrated, files submitted through the platform as part of housing or aid requests.

Cnous has not publicly listed what those attachments included. But in student housing and benefits cases, uploads can range from proof-of-address paperwork to administrative forms, and potentially identity documents.

Hackers claim a massive cache; officials won’t confirm what’s inside

A group calling itself DumpSec has claimed responsibility and suggested the stolen database is large and for sale. Public claims attributed to the group describe a trove of roughly 200 gigabytes, about 200 GB, or around 0.2 terabytes, potentially including copies of ID documents or pay stubs.

Cnous has not confirmed those specifics, a common stance early in an investigation while forensic teams determine exactly which files were taken.

Separately, a French breach-tracking site, FrenchBreaches, cited figures as high as 1.9 million “elements.” Cybersecurity experts caution that such numbers often refer to records or appointments, not distinct people, especially when a single person can appear multiple times over a decade.

The real-world risks: phishing first, identity fraud if IDs were included

The fastest, most likely threat is targeted phishing. With a name, email, and an appointment topic like “housing” or “financial aid,” scammers can send messages that feel authentic: “Your housing file is incomplete,” “Your appointment was moved,” or “Upload your documents again.” The goal may be to trick victims into handing over additional sensitive paperwork.

If identity documents were among the stolen attachments, the stakes rise sharply. A clear scan of a passport or national ID can be used to attempt account openings, rental fraud, or the creation of convincing fake application files. Even failed attempts can leave victims spending months proving they weren’t behind fraudulent activity.

There’s also a quieter risk: psychological pressure. The mere fact that someone booked an appointment with a social services office can reveal vulnerability. Scammers can exploit that with intimidation, threatening to “freeze” a file unless a victim responds immediately.

What to do if you used the site

French officials say affected individuals will be notified. In the meantime, cybersecurity staff interviewed by French outlets emphasized basic steps that matter most in this kind of breach: don’t click links in unsolicited emails referencing Crous appointments, go directly to official websites instead of using emailed links, and save messages that look suspicious.

Another practical rule: treat any email demanding urgent document uploads as a red flag, especially if it pressures you to act fast or bypass normal channels.

A broader wave of attacks on education systems

The Crous breach lands amid a string of cyber incidents hitting French education-related institutions. Earlier in March, hackers stole data tied to about 243,000 employees in France’s national education system. France’s Catholic education network also reported an attack exposing administrative data on roughly 1.5 million people.

For Cnous, the looming question is one Americans will recognize from breaches at schools, hospitals, and government agencies: why keep a decade of records in a system that can be hacked? Agencies often cite legal archiving and accountability requirements, but longer retention also increases the damage when security fails.

What happens next will hinge on specifics Cnous hasn’t fully provided yet, exactly which attachments were taken, and how many contained high-value documents. Without clear, actionable guidance, the biggest danger may shift from the initial hack to a second wave of opportunistic fraud that feeds on confusion.