 (1).png){kind=spacer}
17 hours ago
1
You might expect that a museum holding some of the world's most precious artefacts would spare no expense on every aspect of security.
But a new post–heist report shows that the Louvre's cybersecurity makes most office email accounts look like Fort Knox.
In the most baffling error, confidential documents seen by the French newspaper Libération show that the password for the Louvre's video surveillance was 'LOUVRE'.
Which, as one social media commenter pointed out, is 'basically one step above "password".'
As if that wasn't bad enough, the report also found that the password to access another key piece of software was 'THALES'.
That might not sound easy to guess, until you learn that the software was published by the tech company Thales.
It isn't yet clear whether these glaring weaknesses contributed to the October 18 heist that saw $102 million (£76 million) of crown jewels stolen in broad daylight.
However, the news has made the museum the laughing stock of the cybersecurity world, with one tech fan joking: 'If you ever have impostor syndrome, just remember that the security password for The Louvre was "louvre".'
A post–heist report on the Louvre's security found that the password for the museum's video surveillance system was shockingly set to 'LOUVRE'
The Louvre has become the laughing stock of the cybersecurity world as it emerges that passwords were set to the name of the museum and the name of the software provider
On social media, one commenter pointed out that this was 'one step above' using 'password' to keep your accounts secure
These shocking revelations come from a trove of security reviews conducted by the French National Cybersecurity Agency (ANSSI) dating back over a decade.
In 2014, ANSSI was called in to audit the museum's critical IT systems, which control the alarms, access control, and video surveillance.
Even back then, the Louvre was warned that 'an attacker who manages to take control of it would be able to facilitate damage or even theft of artworks.'
Yet the review found that protections for this critical infrastructure were 'trivial'.
Javvad Malik, cybersecurity advisor at software firm KnowBe4, told Daily Mail: 'The museum's video surveillance systems were protected by shockingly simplistic passwords.'
By making these passwords the same as the name of the museum and software provider, the Louvre opened the door to even the most basic hacking attempts.
Mr Malik adds: 'Whether this weakness played a role in the heist is still under review. But the lesson is clear.
'When systems safeguarding priceless cultural treasures rely on guessable credentials, it's not a policy gap – it is an invitation, serving as an indicator that the overall culture of security may be weak.'
This comes after a brazen daylight heist saw thieves smash through cabinets at the Louvre and make away with $102 million (£76 million) of France's crown jewels
These reports come from confidential documents produced by over a decade of security reviews conducted by the French National Cybersecurity Agency. As far back as 2014, the museum was warned that having its systems compromised could lead to theft
Social media commenters flocked to poke fun at the museum after the heist. However, it is not yet clear whether the cybersecurity issues had any relation to the October 18 robbery
Not only did the Louvre have comically weak passwords, but the museum was also running an outdated version of Windows.
This is essentially the cybersecurity equivalent of leaving your front door unlocked, and allows hackers to use known exploits to gain access to vital information.
It isn't clear whether these issues were addressed at the time, but later reports, as recent as 2025, still show major security issues.
For example, in 2017, ANSSI warned that, while the museum 'has thus far been relatively spared, it can no longer ignore the potential threat of an attack whose consequences could prove dramatic.
On social media, tech fans have flocked to ridicule the Louvre's security blunders.
One commenter on X wrote: 'If you feel like you're bad at your job and it's making you depressed, just consider that, as the investigation of the recent heist revealed, the password to access the Louvre's video surveillance system was "Louvre".'
'What do you mean the Louvre's security camera password was "Louvre",' asked one commenter.
Another chimed in: 'not even L0uvr3! ?'
One commenter joked that people should remember this password blunder whenever they 'feel like you're bad at your job'
Another shocked commenter joked that the security team could have at least added some numbers or punctuation to make the password more secure
One commenter chimed in that their password at work had to be at least 15 characters long, likely making their emails more secure than the Louvre's video surveillance system
While one baffled commenter asked: 'My password at work has to be like 15 characters... ******* how is that possible?'
Despite how quickly the heist was carried out, these security issues are yet more evidence that the Louvre robbers were not as professional as they might have first seemed.
The suspects used a stolen mechanical lift to gain access to the Galerie d'Apollon (Gallery of Apollo) via a balcony before cracking open display cases and escaping just four minutes later.
However, along the way, they managed to drop one of the crown jewels, Empress Eugenie's crown, left tools behind, and failed to set fire to the lift.
This week, Paris' prosecutor Laure Beccuau described the thieves as petty criminals rather than professional members of an organised crime group.
Speaking to Franceinfo radio, Ms Beccuau said: 'This is not quite everyday delinquency... but it is a type of delinquency that we do not generally associate with the upper echelons of organised crime.'
CHOOSING A SECURE PASSWORD
According to internet security provider Norton, 'the shorter and less complex your password is, the quicker it can be for the program to come up with the correct combination of characters.
The longer and more complex your password is, the less likely the attacker will use the brute force method, because of the lengthy amount of time it will take for the program to figure it out.
'Instead, they'll use a method called a dictionary attack, where the program will cycle through a predefined list of common words that are used in passwords.'
Here are some steps to follow when creating a new password:
DO:
- Use a combination of numbers, symbols, uppercase and lowercase letters
- Ensure that the password is at least eight characters long
- Use abbreviated phrases for passwords
- Change your passwords regularly
- Log out of websites and devices after you have finished using them
DO NOT:
- Choose a commonly used password like '123456', 'password', 'qwerty' or '111111'
- Use a solitary word. Hackers can use dictionary-based systems to crack passwords
- Use a derivative of your name, family member's name, pet's name, phone number, address or birthday
- Write your password down, share it or let anyone else use your login details
- Answer 'yes' when asked to save your password to a computer browser
