Hackers access 800,000 Orange customers' data

Orange reveals an attack on its website exposed details for three percent of its French customer base.
Written by Liam Tung, Contributing Writer

Orange customers in France could see a spike in phishing attempts after hackers nabbed hundreds of thousands of customers' unencrypted personal data in an attack on the operator's website.

Hackers accessed the personal data of three percent of Orange's customers in France, the company confirmed, using the 'My Account' section of orange.fr.

According to local reports, the attack took place on 16 January, and affected nearly 800,000 individuals. 

"These attackers accessed personal data from three percent of Orange customers in France, but the 'My Account' page was closed as soon as the attack was detected and technical measures were immediately taken to stop the attack," an Orange spokesperson said in a statement to ZDNet.

According to Orange, customer passwords were not accessed and "cannot be used", suggesting these were hashed or encrypted. However, the attackers did access enough personal data to mount a phishing attack.

Data that was accessed includes customers' names, mailing addresses, email addresses, telephone numbers and customer account IDs, although the last set of data was "masked" or "truncated".

"Theft of this type of data mainly serve to feed 'phishing' activities, and we ask our customer to remain vigilant and to never provide personal data over email or click on links in email that may be untrustworthy," the spokesperson said. 

"Orange is already in contact with all customers affected, and no action by our customers is required." 

Orange hasn't said exactly how the breach occurred, but according to OWASP, the most common flaws in web applications include 'injection', often referred to as SQL injection, cross-site scripting and broken authentication and session management functions.  

New data breach disclosure rules for Europe's telecoms operators were put forward in regulations for the sector last year, which require them to report such incidents to national authorities within 24 hours of discovery. Operators would not need to tell subscribers of a breach if the data was encrypted.

More on phishing

Editorial standards