Orange hacked. 800,000 French customers have their personal data stolen

Lisa Vaas

OrangeFrench telecom firm Orange, formerly known as formerly France Télécom S.A., has confirmed that personal data of 3% of its customers – a little less than 800,000 people – was chiseled out of its databases on 16th January.

The French news outlet Le Figaro reports that the Orange data was breached from the “My Account” section of the orange.fr site.

Orange told ZDNet that the pirated data included customers’ names, mailing addresses, email addresses, telephone numbers and customer account IDs.

Orange security breach advisory for customers

A spokesperson said that customer account IDs were “masked” or “truncated”.

ZDNet quoted a statement sent by the spokesperson:

“These attackers accessed personal data from 3% of Orange customers in France, but the ‘My Account’ page was closed as soon as the attack was detected and technical measures were immediately taken to stop the attack.”

The thieves didn’t get their hands on customer passwords, Orange said.

Or, well, at any rate, the passwords “cannot be used”, it said—meaning, one assumes, hopefully, that they were encrypted.

But even if Orange did encrypt the passwords, that wouldn’t mean much.

As we saw in Adobe’s password-pocalypse, a company saying its passwords were encrypted doesn’t mean that those passwords were properly salted and hashed.

Naked Security’s Paul Ducklin, with very little effort indeed, managed to precisely identify the top five passwords in that 38 million dump of encrypted passwords, plus the 2.75% of users who chose them, and the exact password length of nearly one-third of the database.

Were Orange’s records properly salted and hashed? Or just “encrypted”, as Adobe’s were?

Let’s hope for the former.

At any rate, as the company pointed out, the attackers got enough bait to mount a phishing campaign, so customers should be on the watch for requests for personal data:

“Theft of this type of data mainly serve to feed ‘phishing’ activities, and we ask our customer to remain vigilant and to never provide personal data over email or click on links in email that may be untrustworthy.

“Orange is already in contact with all customers affected, and no action by our customers is required.”

Lisa Vaas I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.

One Reply to “Orange hacked. 800,000 French customers have their personal data stolen”

  1. If French processes are similar to UK ones, all that's needed is to get hold of a mailing extract, since EE send out account access information and passwords in plain text in a single letter to customers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES