Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
Privacy Security Software Games

The Louvre's Video Surveillance Password Was 'Louvre' (pcgamer.com) 90

Posted by BeauHD from the would-you-look-at-that dept.
A bungled October 18 heist that saw $102 million of crown jewels stolen from the Louvre in broad daylight has exposed years of lax security at the national art museum. From trivial passwords like 'LOUVRE' to decades-old, unsupported systems and easy rooftop access, the job was made surprisingly easy. PC Gamer reports: As Rogue cofounder and former Polygon arch-jester Cass Marshall notes on Bluesky, we owe a lot of videogame designers an apology. We've spent years dunking on the emptyheadedness of game characters leaving their crucial security codes and vault combinations in the open for anyone to read, all while the Louvre has been using the password "Louvre" for its video surveillance servers. That's not an exaggeration. Confidential documents reviewed by Liberation detail a long history of Louvre security vulnerabilities, dating back to a 2014 cybersecurity audit performed by the French Cybersecurity Agency (ANSSI) at the museum's request. ANSSI experts were able to infiltrate the Louvre's security network to manipulate video surveillance and modify badge access.

"How did the experts manage to infiltrate the network? Primarily due to the weakness of certain passwords which the French National Cybersecurity Agency (ANSSI) politely describes as 'trivial,'" writes Liberation's Brice Le Borgne via machine translation. "Type 'LOUVRE' to access a server managing the museum's video surveillance, or 'THALES' to access one of the software programs published by... Thales." The museum sought another audit from France's National Institute for Advanced Studies in Security and Justice in 2015. Concluded two years later, the audit's 40 pages of recommendations described "serious shortcomings," "poorly managed" visitor flow, rooftops that are easily accessible during construction work, and outdated and malfunctioning security systems. Later documents indicate that, in 2025, the Louvre was still using security software purchased in 2003 that is no longer supported by its developer, running on hardware using Windows Server 2003.
This discussion has been archived. No new comments can be posted.

The Louvre's Video Surveillance Password Was 'Louvre' More

The Louvre's Video Surveillance Password Was 'Louvre'

Comments Filter:

  • Man o man. What a good time to be a criminal!

    That museum deserves to lose its entire collection.

    • Re: (Score:1)

      by davidwr ( 791652 )

      >That museum deserves to lose its entire collection.
      If it were a privately-owned museum I might agree with you.

      As a publicly owned museum owned by the people of France, I can't agree with you.

      I will say that more than one person involved in the Louvre's security needs to be sacked if not prosecuted for criminal negligence, assuming any such laws apply.

    • Re: Holy cow! (Score:2, Troll)

      by reanjr ( 588767 )

      I really want a slick produced show where an international team of non-European thieves engages in operations to repatriate stolen relics.

      Would be difficult to get rights to film in the museums, though, in all likelihood.

      • It is not a show, but a game: Relooted by Nyamakop [nyamakop.co.za].

      • Re: (Score:1, Troll)

        by drnb ( 2434720 )

        I really want a slick produced show where an international team of non-European thieves engages in operations to repatriate stolen relics.

        Why? So Isis/Dash/Taliban can destroy the pre-Islamic art?

        "Built in the 6th century, the Buddhas of Bamiyan were two monumental size statues, standing at 115 and 174 feet tall, carved into the sandstone cliffs of the Bamiyan valley in central Afghanistan. These statues best exemplified the Gandharan Buddhist art school, as well as the greater cultural landscape of Buddhism and its influences during the 1st to 13th centuries. In 2001, the statues were destroyed by the Taliban over the course of 25 days. A

        • You're aware that ISIS didn't make that art right? How would it be repatriation?

          • These places existed before ISIS. If you want to limit repatriation to people who created things then almost by definition nothing in a museum should be given back.

            • Ok, but in this case, the statues would be repatriated to China from Afghanistan.

              • Re: (Score:2)

                by drnb ( 2434720 )

                Ok, but in this case, the statues would be repatriated to China from Afghanistan.

                The Buddhist statues were native to Afghanistan not China. And Buddha was from Nepal not China. Buddhism spread to many areas including Afghanistan.

                • Right. The statues were never stolen. That's why I'm confused about how these statues would be repatriated. I'm using China just because it's somewhere that's not Afghanistan that might have a cultural claim.

                  • Re: (Score:2)

                    by drnb ( 2434720 )

                    Right. The statues were never stolen. That's why I'm confused about how these statues would be repatriated. I'm using China just because it's somewhere that's not Afghanistan that might have a cultural claim.

                    The reference was to illustrate what some locals do with their cultural inheritance. That repatriation being a good thing depends entirely upon who you are repatriating to. After learning of those statues, would you be OK with repatriating non-Islamic cultural treasures to ISIS, Daesh, Taliban, etc?

          • Re: (Score:1)

            by drnb ( 2434720 )

            You're aware that ISIS didn't make that art right? How would it be repatriation?

            Repatriation may put art in the hands of ISIS or likeminded individuals. Some of the looted art is safer where it is.

            Sorry, politically incorrect, but realistic at times.

          • If it's only the people that made that art can claim ownership then I have some bad news for you. Those people are long dead.

      • Wow. Troll, huh? How racist do you have to be to feel trolled by such an idea? Are we talking MAGA level? Or KKK?

    • Come on, they used both upper and lower case. Give them a little credit. :-)

    • Why? It's not like this had anything to do with the heist, and it's not like other places do it any better.

      Heists are committed by dumb criminals, not state sponsored masterminds. Less Tom Cruise movies for you.

  • I thought the password was ervuoL.

  • Windows Server 2003 belongs in an museum (Score:4, Funny)

    by Joe_Dragon ( 2206452 ) on Wednesday November 05, 2025 @08:50PM (#65776458)

    Windows Server 2003 belongs in an museum

    • The Operational Museum Piece. (Score:5, Funny)

      by geekmux ( 1040042 ) on Wednesday November 05, 2025 @09:28PM (#65776524)

      Windows Server 2003 belongs in an museum

      Technically, it was.

      The display just happened to be warehoused in the operational wing. Attached to a power plug. Connected to a wall socket. Powered on. And configured with a slightly insecure password policy, given the server name of "Louvre", the username of "Louvre", the passwo, yeah it's one hell of a museum piece.

      Even the ILOVEYOU architects were impressed.

    • I trust Windows Server 2003 more than I trust Windows 11. It's less stable, but Microsoft isn't in control of your machine.

      • "one is pre owned and one will take a few minutes"
        Ms shit is so bad that it should be considered negligent to use them. I guess the OSCP test got rid of linux in its simulations because people so would always go straight for the windows machines every time anyhow. It's really time we stop deluding ourselves that they're targeted because theyre so popular or the other standard industry microsoft apologetics and respond with ridicule instead of argument. This wasn't a situation that came about by logic or

  • This isn't my field so I kind of mean this sarcastically and kind of not, but I feel like cyber security audits must be a good business to be in. Get hired to find the vulnerabilities, list out the most basic things and write up a report with recommendations to fix it, then get hired 2 years later to do the same thing and find the exact same stuff. (I'm referencing the fact that the Louvre had an audit in 2014 and then another in late 2015 that found the most basic logic security flaws, which obviously in

    • Re:Cyber Audits must be a good business (Score:4, Interesting)

      by rta ( 559125 ) on Wednesday November 05, 2025 @08:56PM (#65776470)

      which obviously in 2025 weren't fixed per the article

      That's not what the article says, it merely wants to give that impression, because it's easier for them to get clicks that way.

      Note the the only claims made as of the 2025 report are that they're using Windows Server 2003 and some old security software in some capacity. The stuff about the passwords is all from 2014 and 2015.

      • Unless that's an incredibly locked down Windows 2003 server, it's basically criminal negligence to be running such an out of date operating system. The fact it was setup with lousy passwords makes me believe it probably wasn't locked down either. They were asking for trouble with such poor security practices.

        • Re: (Score:2)

          by cusco ( 717999 )

          If it's on a private network with controlled physical access then it could be running DOS and it's not actually a security risk.

          • If it's on a private network with controlled physical access then it could be running DOS and it's not actually a security risk.

            It's not a security risk if any other node connected to the same private network can compromise it? lol

            • Re: (Score:2)

              by cusco ( 717999 )

              In a different post I pointed out that you need to control access to the end points.

    • Re: (Score:3)

      by cusco ( 717999 )

      Had an instructor in college whose day job was doing pen tests for financial institutions. When they arrived at a site they'd be assigned a conference room, and while he started setting their equipment up his partner would get on the phone. Calling a branch office he'd say, "Hi, I'm Greg, the new guy in IT. I'm supposed to update the configuration on the router in your office, but I don't have the password and everyone else in my department is in a benefits meeting. They said your manager has the correc

  • Check out the Hank Green interview with Sherri Davidoff on YouTube for a pretty nuanced look into the failures and successes of this heist.

    https://youtu.be/NIGbQ9NHFEg [youtu.be]

  • Now we'll just have to locate every copy of the web page and have it dipped in acid to make sure no one can break in at a later date.

  • No Connection with Heist (Score:1)

    by Anonymous Coward
    There seems to be no actual connection identified between poor passwords and the heist. No connection identified between out of date technology and the heist. But it makes a great story. It sounds a bit like worrying about the bad lock on the door when somebody put a chair through the window. Its not a trivial point. They are likely going to spend a lot of time and money "improving" their outdated security technology instead of evaluating their real security needs.
  • Clearly the Louvre should have used the higher security ERVUOL.

    ( /s )

    • Alternatively, they at least could've gone with "Louvre2".

      • 123@Louvre
        Numbers, symbols, and at least one capital letter. Very strong password.

        • 123@Louvre Numbers, symbols, and at least one capital letter. Very strong password.

          Password Monster rates that as a weak password.

          But hoooolld on a second. TIL there are sites where you can just type your password into!?!?

          Jeebuz K. Ryste on a trampoline. We're lost, we're so lost.

  • Didn't Matter (Score:5, Informative)

    by PleaseThink ( 8207110 ) on Wednesday November 05, 2025 @09:38PM (#65776534)

    The criminals effectively just did a smash-and-grab (plus guard threatening) while pretending to be construction workers. None of that poor IT security mattered. In other words, it doesn't matter that their new password was changed to "LOUVRE!".

    • Re:Didn't Matter (Score:5, Informative)

      by thegarbz ( 1787294 ) on Thursday November 06, 2025 @03:53AM (#65776854)

      This. Virtually none of the museum break-ins (there have been a lot in Europe in the past 5 years) have looked anything like those stupid heist movies, or a computer game. Security and passwords are virtually irrelevant.

      I'm reminded of a facility I once worked on. We had full time security and a gate. Ultimately we had a coked up copper thief who was barely able to control their car just drove in, stole some cable and a ladder, and drove out again. Turns out that the security guard on Sunday was the only person present and while he went to the toilet he opened the boom gate so that operations could come and go as they pleased.

      We're trained by movies to think that thefts from secure facilities are some big brained Tom Cruise style parachuting in from a plane with sleeping dart guns and tools to stop the laser alarms from going off.

      But in reality many thefts are just dumb. They aren't performed by ANSSI experts, they are performed by thugs with low tech.

    • Re: (Score:3)

      by AmiMoJo ( 196126 )

      It speaks to their generally lax security efforts. People imagine that the Louvre is some kind of Fort Knox style impenetrable fortress d'art.

    • Absolutely true, but the incident will still be used as an excuse to rant over poor technical security, maybe sack some people and spend millions of euros on "better" security that will do nothing but cost money and inconvenience visitors.

  • When it was acceptable that historical artifacts would be "moved" (more like stolen) from African and Eastern countries to European museums like Louvre, so they'd be safer there? Yeah.

    • Re:Remember? (Score:5, Informative)

      by test321 ( 8891681 ) on Wednesday November 05, 2025 @10:28PM (#65776616)

      It might be ethically unacceptable by today's standards, but the state of the world still makes it technically correct. Museums of poorer countries get ransacked during wartime. Compare one spectacular heist at the Louvre and thoroughly looting the entire 100,000 piece collection of the Khartoum museum in Sudan last year.

      1) Sudan National museum was looted and ransacked in 2023/2024; it contained 100,000 pices of art from the different cultures from the Nile Valley https://www.theartnewspaper.co... [theartnewspaper.com]
      2) Destructions during the 2015 Syrian war https://en.wikipedia.org/wiki/... [wikipedia.org]
      3) Destruction of religious and historic relics of Timbuktu, Mali during the 2012 war https://en.wikipedia.org/wiki/... [wikipedia.org] ; the International Criminal Court (The Hague) sentenced an Al Quaeda associate https://www.icc-cpi.int/mali/a... [icc-cpi.int]
      4) Looting of Iraq Museum in 2003 https://en.wikipedia.org/wiki/... [wikipedia.org]
      5) The very long list of cultural destructions by the Islamic State everywhere it passed by https://en.wikipedia.org/wiki/... [wikipedia.org]

      • Compare one spectacular heist at the Louvre

        While you're not wrong about the Sudan museum, calling it one spectacular heist at the Louvre is disingenuous. Right now it's just the latest heist in a list of many in Europe in the past year. You just know what the Louvre is so it got international attention.

        Funny enough the day after the Louvre heist was the day of the judgement of a court case of a woman who stole millions in gold nuggets from a the Museum of Natural History in Paris only a month prior. There was also a spectacular heist of the Helmet o

  • Pack up the entire collection and move it to Llanfairpwllgwyngyll, Wales.

  • Am I the only one that didn't read anything past "PC gamer reports:"? How sad the world has become that this is probably one of the most accurate and nuanced articles our current news media can produce. I'll go back and read it in a bit - just had to put this out there.
  • could not some of these shortcomings be due to long term budget cuts? or poor allocation thereof towards important security measures for the most famous irreplacable artifacts on display in the world? cyber or not- many things could and should have been improved after a decade+

  • I certainly envy the faith of the editor using the past tense there. What are chances they changed it? :p

  • Using a foreign word is good practice.

  • Even the heist movie would choose a better password than that - otherwise the hacking scene would be boring - unless it was a comedy of course.

  • Sure, it's â88 Mil. damages now, but I'd argue it's worth it. The last significant (and much smaller break in/theft was in 1998 the one before in 1976 - so it's on average a few millions every 20 years. Imho far better that expensive security theatre that sucks for visitors.
  • Has it been determined whether the IT situation was related to the theft that occurred?

    Obviously it sounds like basically no bad option was left unchosen when it came to their IT config; but I'm curious whether this was a situation where the perps were actually sophisticated enough (or unsophisticated at traditional smash-and-grab/balaclava-when-on-camera techniques) to incorporate the bad IT into the heist; or whether the entry was more or less pure physical access control failure that happens to put th

    • Has it been determined whether the IT situation was related to the theft that occurred?

      If their IT security was this halfassed, then their physical security probably was too. They could have solved the IT security problem by hiring someone competent to do an audit, and then follow their recommendations. They obviously skipped at least one of those steps. That kind of sloppiness doesn't occur in just one area, it has to be systematic.

  • The video systems are typically like this, they aren't run by your average good looking, hyper smart information security professionals, they are run by physical security which is a whole different kettle of fish. I once worked at an org where there was NO password on the video surveillance, and they refused to set up one. So I went and showed the Windows server admins, who were well known scamps, how to access it and pan/tilt the cameras and left it at that. I don't know what those Windows admins were doin
  • Am I the only one who thinks this whole thing could have been avoided with just a dog, or an old-timer walking a security beat?

    • It happened in broad daylight and the thieves threatened physical harm to the employees. Sorry but nobody is paid enough to deal with that.

      • Re: (Score:2)

        by kackle ( 910159 )
        Didn't it take a long time to cut through the glass(es) to where the police could have been called? I didn't know anyone was aware of the theft in progress and was held at knife/gunpoint.
      • There is such a thing as an armed security guard. The Louvre unfortunately didn't have any.

  • Meanwhile I'm out here making different passwords for each service or site I have, changing out the passwords every 3-4 years.

    I'm gonna die and they'll just drop my machines in the grave with me.

  • To remove the Mona Lisa, the password is 'MonaLisa'.

  • ... that they have changed it to 'Louvre1'

    Thank you! I'll see myself out.

  • New and totally secure password will be:
    LouvreLouvre123

Slashdot Top Deals

Nothing will dispel enthusiasm like a small admission fee. -- Kim Hubbard

Close