French telecom firm Orange, formerly known as formerly France Télécom S.A., has confirmed that personal data of 3% of its customers – a little less than 800,000 people – was chiseled out of its databases on 16th January.
The French news outlet Le Figaro reports that the Orange data was breached from the “My Account” section of the orange.fr site.
Orange told ZDNet that the pirated data included customers’ names, mailing addresses, email addresses, telephone numbers and customer account IDs.
A spokesperson said that customer account IDs were “masked” or “truncated”.
ZDNet quoted a statement sent by the spokesperson:
“These attackers accessed personal data from 3% of Orange customers in France, but the ‘My Account’ page was closed as soon as the attack was detected and technical measures were immediately taken to stop the attack.”
The thieves didn’t get their hands on customer passwords, Orange said.
Or, well, at any rate, the passwords “cannot be used”, it said—meaning, one assumes, hopefully, that they were encrypted.
But even if Orange did encrypt the passwords, that wouldn’t mean much.
As we saw in Adobe’s password-pocalypse, a company saying its passwords were encrypted doesn’t mean that those passwords were properly salted and hashed.
Naked Security’s Paul Ducklin, with very little effort indeed, managed to precisely identify the top five passwords in that 38 million dump of encrypted passwords, plus the 2.75% of users who chose them, and the exact password length of nearly one-third of the database.
Were Orange’s records properly salted and hashed? Or just “encrypted”, as Adobe’s were?
Let’s hope for the former.
At any rate, as the company pointed out, the attackers got enough bait to mount a phishing campaign, so customers should be on the watch for requests for personal data:
“Theft of this type of data mainly serve to feed ‘phishing’ activities, and we ask our customer to remain vigilant and to never provide personal data over email or click on links in email that may be untrustworthy.
“Orange is already in contact with all customers affected, and no action by our customers is required.”
If French processes are similar to UK ones, all that's needed is to get hold of a mailing extract, since EE send out account access information and passwords in plain text in a single letter to customers.