Just three months after hackers stole 800,000 Orange customers' details, the French carrier says it's been hacked again. This time, the details of 1.3 million customers in France were exposed.
Orange France is again warning its French customers to beware of phishing attempts following a hack discovered on 18 April. The security breach exposed customers' and prospects' first names, surnames, and in some cases, their email address, mobile and fixed-line phone numbers, date of birth, and the mobile carrier they were using.
French newspaper Le Monde reported that Orange delayed its public notification of the breach until 5 May in order to properly close the flaw exploited in the latest attack.
In a statement to ZDNet, Orange said it had identified "illegitimate access on a technical mailing and SMS platform" that the company uses for its commercial campaigns in France. The company declined to provide further information on how the attack was carried out, on the grounds that it's taking legal action on the matter.
Reuters reported that the attack was aimed at an "online portal" the carrier used.
In February, hackers exploited a flaw in the 'My account' section of the orange.fr website, allowing them to access the personal details of around 800,000 people. A possible method of attack was SQL injection, which are commonly used to trigger a database dump to an attacker.
While Orange did not provide any details on the nature of the earlier attack, it did say it didn't involve the same method used in this month's hack.
"I can confirm that this is completely different than the hack in February — and in both cases we have taken the appropriate action to ensure there is no further risk of access via the methods used," an Orange spokesman said.
According to Le Monde, after the most recent hack Orange sent its customers an email that warned them of increased phishing threats, which included a link to a "click to call back" feature that requests an Orange operator call the customer back within 48 hours.