The air of criminal mystique has been dispelled somewhat in the weeks following the October 18 heist that saw $102 million of crown jewels stolen from the Louvre in broad daylight. The suspects fumbled an entire crown during their escape, before trying and failing to light their mechanical lift on fire as a diversionary tactic. Arsène Lupin would be appalled.
How exactly, then, did the most renowned gallery in France find itself pillaged by a cadre of buffoons in high visibility vests? Reporting from French newspaper Libération indicates the theft is less of an anomaly than we might expect, as the Louvre has suffered from over a decade of glaring security oversights and IT vulnerabilities.
As Rogue cofounder and former Polygon arch-jester Cass Marshall notes on Bluesky, we owe a lot of videogame designers an apology. We've spent years dunking on the emptyheadedness of game characters leaving their crucial security codes and vault combinations in the open for anyone to read, all while the Louvre has been using the password "Louvre" for its video surveillance servers.
That's not an exaggeration. Confidential documents reviewed by Libération detail a long history of Louvre security vulnerabilities, dating back to a 2014 cybersecurity audit performed by the French Cybersecurity Agency (ANSSI) at the museum's request. ANSSI experts were able to infiltrate the Louvre's security network to manipulate video surveillance and modify badge access.
"How did the experts manage to infiltrate the network? Primarily due to the weakness of certain passwords which the French National Cybersecurity Agency (ANSSI) politely describes as 'trivial,'" writes Libération's Brice Le Borgne via machine translation. "Type 'LOUVRE' to access a server managing the museum's video surveillance, or 'THALES' to access one of the software programs published by… Thales."
The museum sought another audit from France's National Institute for Advanced Studies in Security and Justice in 2015. Concluded two years later, the audit's 40 pages of recommendations described "serious shortcomings," "poorly managed" visitor flow, rooftops that are easily accessible during construction work, and outdated and malfunctioning security systems.
Later documents indicate that, in 2025, the Louvre was still using security software purchased in 2003 that is no longer supported by its developer, running on hardware using Windows Server 2003.
When the safeguards for France's crown jewels are two decades out of date, maybe we could all afford to go a little easier on the absurdity of hacking minigames, password post-it notes and extremely stealable keycards. Heists, it seems, aren't actually all that hard.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
