The Louvre’s video surveillance password was “Louvre.” Yes, really.
When France’s National Cybersecurity Agency (ANSSI) audited the world-famous museum in 2014, auditors discovered that gaining access to the system monitoring one of history’s most valuable art collections required nothing more than typing in the institution’s own name. No symbols, no numbers, just five letters, any of which a moderately motivated attacker could guess in under a second.
The revelation surfaced recently when confidential ANSSI audit documents obtained by French newspaper Libération were examined following the October 19, 2025, heist that netted thieves $102 million in crown jewels. While the low-tech robbery, executed with cherry pickers and chainsaws in roughly seven minutes, didn’t necessarily depend on digital access, the password discovery exposed something far more damaging to the Louvre’s reputation than any single theft: institutional complacency around digital security.
The CCTV password wasn’t the only one that lacked imagination. Software access credentials, managed by Thales, the security technology firm, relied on an equally predictable choice: the company’s own name. Worse still, the 2014 audit found the museum’s core security network ran on Windows Server 2003, software that Microsoft had already stopped supporting over a decade prior. Whether the museum ever changed its video surveillance password after the 2014 audit is unclear. No official confirmation is available yet. However, according to a museum employee who spoke with ABC News, the password protecting the Louvre’s system at the time of last month’s heist was still simply “Louvre.”
This pattern of negligence isn’t unique to the Louvre. Across India, hackers systematically compromised CCTV systems at hospitals, schools, and factories using brute-force attacks to crack weak default passwords like “admin123.” The criminals obtained nearly 50,000 clips from across the country over a nine-month period in 2024. Footage from medical facilities, including private examinations of women, ended up on pornographic sites and Telegram channels, selling for 700 to 4,000 rupees per clip. No one had bothered to change the defaults.
The Louvre’s situation reveals a specific organizational failure: the gap between knowing about a vulnerability and actually fixing it. ANSSI flagged these weak passwords in 2014. An audit in 2015 emphasized “serious shortcomings,” including inadequate visitor management, unsecured roof access left open during renovations, and infrastructure running on outdated software versions. Yet a 2024 national audit report found that the museum wasn’t expected to complete all the recommended security upgrades until 2032, a full eighteen years after the initial warning.
The museum has now acknowledged “security gaps” and begun a multiyear upgrade cycle. Whether the organization’s leadership will adequately resource it, complete it on schedule, and ensure that a culture supporting digital security persists beyond the current administration remains an open question.
For now, the passwords protecting video surveillance of one of the world’s most visited art museums serve as a reminder: when you use your name as your security, you’renot protecting anything. You’re just announcing to the world that no one’s paying attention to the security.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
