Orange hacked. 800,000 French customers have their personal data stolen


OrangeFrench telecom firm Orange, formerly known as formerly France Télécom S.A., has confirmed that personal data of 3% of its customers - a little less than 800,000 people - was chiseled out of its databases on 16th January.

The French news outlet Le Figaro reports that the Orange data was breached from the “My Account” section of the site.

Orange told ZDNet that the pirated data included customers’ names, mailing addresses, email addresses, telephone numbers and customer account IDs.

Orange security breach advisory for customers

A spokesperson said that customer account IDs were “masked” or “truncated”.

ZDNet quoted a statement sent by the spokesperson:

These attackers accessed personal data from 3% of Orange customers in France, but the ‘My Account’ page was closed as soon as the attack was detected and technical measures were immediately taken to stop the attack.”

The thieves didn’t get their hands on customer passwords, Orange said.

Or, well, at any rate, the passwords “cannot be used”, it said—meaning, one assumes, hopefully, that they were encrypted.

But even if Orange did encrypt the passwords, that wouldn’t mean much.

As we saw in Adobe’s password-pocalypse, a company saying its passwords were encrypted doesn’t mean that those passwords were properly salted and hashed.

Naked Security’s Paul Ducklin, with very little effort indeed, managed to precisely identify the top five passwords in that 38 million dump of encrypted passwords, plus the 2.75% of users who chose them, and the exact password length of nearly one-third of the database.

Were Orange’s records properly salted and hashed? Or just “encrypted”, as Adobe’s were?

Let’s hope for the former.

At any rate, as the company pointed out, the attackers got enough bait to mount a phishing campaign, so customers should be on the watch for requests for personal data:

Theft of this type of data mainly serve to feed ‘phishing’ activities, and we ask our customer to remain vigilant and to never provide personal data over email or click on links in email that may be untrustworthy.

Orange is already in contact with all customers affected, and no action by our customers is required.”

Tags: , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , ,

One Response

  1. Annoyed EE customer

    February 5, 2014 at 2:18 pm #

    If French processes are similar to UK ones, all that’s needed is to get hold of a mailing extract, since EE send out account access information and passwords in plain text in a single letter to customers.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.