If you live in France and depend on the telecom Orange to provide you with you mobile service, your phone or tablet may now be subject to a malware attack thanks to a leak of over 800,000 customer accounts this week.
Overall this number represents just around three percent of the total customers in the country, and currently there is no way for consumers to know whether or not their personal information was compromised in the heist.
By exploiting the “My Account” page on the orange.fr domain, the hackers were able to access the confidential usernames and passwords, along with mailing addresses, customer names, emails, telephones, and customer account IDs. Some of this data was masked, but it was also unencrypted, which leads us to believe that it was only a matter of time before those behind the attack got the data they were hunting for in the end.
Orange responded to the theft in a statement to ZDNet:
“Theft of this type of data mainly serve to feed ‘phishing’ activities, and we ask our customer to remain vigilant and to never provide personal data over email or click on links in email that may be untrustworthy. Orange is already in contact with all customers affected, and no action by our customers is required.”
No one knows exactly how the attackers were able to get in, although security outfit QWASP has told sources that it probably comes down to a simple SQL injection, common among breaches of this type. Orange has told its customers they will be informed if their account was compromised in the next few days, and that they have already closed the hole that the hackers used to get in to prevent anymore data from leaking out.
The whole event comes right on the heels of new legislation passed just last year, which requires all European telecoms to disclose attacks like this one within 24 hours of first being discovered.