If You Thought Breaking In Was Easy, Try Guessing the Louvre’s Password (Spoiler – You Already Did)

Last month’s cartoonish jewelry robbery at the Louvre has unearthed a new-old nugget of security trivia that would make any IT personnel cringe. For a time, the password to the museum’s video surveillance system was “Louvre.” Per an investigation by a French newspaper, Libération obtained confidential documents showing that a surveillance server’s credential was set to the museum’s name in 2014, while a software program provided by tech firm Thales used the single-word password “THALES.” The investigation also revealed the museum still had an office network running Windows 2000 in 2025, long after the OS stopped receiving antivirus updates.

Annual security audits from recent years also showed consistent problems. One from 2017, for example, found the risk of an attack “with potentially dramatic consequences” could no longer be dismissed as hypothetical. There had been warning signs about the Louvre’s digital security gaps for over a decade, both from critics of outdated software and physical vulnerabilities, like how anyone can climb to the roof of the building when construction is taking place. It is not yet clear if the audited passwords or other vulnerabilities had been fixed by 2025.

The actual robbery took place in the middle of the morning on Sunday, October 19th 2025 at 09:30. Four suspects, who had arrived in a small utility vehicle with a mechanical ladder, climbed to a first-floor balcony that accesses the Galerie d’Apollo, cut open display cases with power tools, and fled with nine 19th-century French Crown Jewels. One crown, belonging to Empress Eugénie, was dropped, but eight items in total remain missing, each worth millions of euros. The whole heist took approximately eight minutes. Per the museum’s director, the single exterior-facing camera covering the gallery was pointed in the wrong direction when it was breached.

Reaction to the password information has been swift and critical. Users on social media blasted the notion that one of the world’s most-visited institutions would use a video surveillance system protected by a credential only marginally better than “password.” Some observers pointed out that the museum is hard to spell correctly, even for museum workers, while others wondered if non-executive employees at many companies had stricter password policies than a museum safeguarding artwork worth tens of millions. The revelations also inspired numerous memes and think-pieces about the Louvre falling into the same category as dusty machines in office basements running decades-old software because “it still works. Security researchers noted that weak passwords, or reusing the same password across systems, is one of the easiest ways attackers can compromise a system. The Louvre’s experience highlights how organizations can forget old devices, old software, and default credentials, allowing those risks to fester for years.

As investigators attempt to recover the stolen jewels and charge the four suspects, the digital component of the story is its own source of shame. The museum has stated its systems did not fail during the 2025 incident, but the audits are proof of one thing..for many years, key elements of the Louvre’s security posture depended on passwords that a first-year cybersecurity student would be taught to avoid.