You might expect that a museum housing some of the world’s most priceless artefacts would have cybersecurity measures as impenetrable as its glass cases. But a new report has revealed that the Louvre’s IT defences were so lax that the recent €102 million heist may have been helped along by astonishingly simple mistakes — including using the password “LOUVRE” to access its own security cameras.
Confidential documents obtained by the French newspaper Libération show that the museum’s video surveillance system — which monitors thousands of visitors daily — was protected by the single, all-caps password “LOUVRE”. As one social media user joked, “That’s basically one step above using ‘password’.”
The embarrassment doesn’t stop there. The password for another key piece of software, used to monitor alarm systems, was reportedly “THALES” — the same as the French tech company that built it. “It’s like writing your PIN on your bank card,” one cybersecurity analyst commented.
While it remains unclear whether these oversights directly contributed to the October 18 robbery — in which thieves stole $102 million (€96 million) worth of crown jewels in broad daylight — the revelations have made the Louvre a laughing stock in cybersecurity circles.
The French National Cybersecurity Agency (ANSSI) had already raised concerns a decade ago. A 2014 audit warned that an attacker gaining access to the museum’s systems “would be able to facilitate damage or even theft of artworks.” Despite the warning, ANSSI found the museum’s protections were “trivial”, and many issues went unaddressed in subsequent years.
Javvad Malik, cybersecurity adviser at KnowBe4, said the findings were “shocking but not surprising.” He explained: “When systems safeguarding priceless cultural treasures rely on guessable credentials, it’s not a policy gap – it’s an invitation. It shows a culture of weak security rather than an isolated mistake.”
To make matters worse, the report also found that the Louvre was running an outdated version of Windows, leaving it exposed to known hacking exploits. In cybersecurity terms, it was the equivalent of leaving the front door unlocked.
As recently as 2025, follow-up reports continued to highlight significant weaknesses. A 2017 ANSSI warning noted that while the museum had been “relatively spared” from cyberattacks so far, it could “no longer ignore the potential threat of an attack whose consequences could prove dramatic.”
Online, users have ridiculed the museum’s security setup. “If you feel bad at your job, remember that the Louvre’s security camera password was ‘Louvre’,” wrote one X user. Another joked: “Not even L0uvr3 with numbers? My work password has to be 15 characters long!”
The heist itself unfolded with startling speed. Using a stolen mechanical lift, the thieves entered the Galerie d’Apollon through a balcony, smashed open display cases, and fled within four minutes. They reportedly dropped one of the stolen crowns — Empress Eugénie’s diadem — and left behind tools, suggesting a mix of boldness and clumsiness rather than professional precision.
This week, Paris prosecutor Laure Beccuau told Franceinfo radio that investigators do not believe the robbers were part of an organised crime ring. “This is not quite everyday delinquency,” she said, “but it is a type of delinquency that we do not generally associate with the upper echelons of organised crime.”
The irony is hard to miss: while France’s most famous museum was investing millions in state-of-the-art display cases and alarm systems, its digital defences were undone by passwords anyone could guess. For cybersecurity experts, it’s a stark reminder that even the world’s greatest cultural institutions can fall victim to the simplest of mistakes.
