Customer passwords were not stolen – they are stored on a separate server that was not affected. Some partially redacted bank account details were stolen, but, says Orange, in an unusable format. The threat to affected customers is, therefore, from enhanced phishing rather than direct account compromise.
Orange is now emailing affected customers (in French) with information on the breach. This follows an earlier email sent out on 23/24 January giving a general warning on the dangers of phishing, but without mention of the hack. The French publication PCinpact spoke to Laurent Benatar, technical director at Orange. He explained that the breached site was briefly closed while the problem was tackled.
The subsequent email to customers warned about phishing, presumably because Orange had become aware that personal details had been stolen, but did not mention the hack. "For the company," writes PCinpact (in French), "it was still necessary to wait to learn the exact details of the intrusion. Note that the [phishing] advice is valid in all circumstances, whether an intrusion has occurred or not."
Orange has reported the incident to the authorities, and Benatar said that he will not release any further details while the police investigation is under way.
Although the most sensitive personal details – passwords and bank accounts – were stored on separate and apparently better secured servers, Orange customers should nevertheless take this news seriously. With such a wealth of personal information available, criminals will easily be able to fashion compelling poisoned phishing emails, perhaps with additional information found on social networks such as LinkedIn and Facebook.
Although the breach has been closed, in many ways the threat is only just beginning.
As yet there is no indication of who is responsible for the breach. NullCrew, which has claimed responsibility for the Bell Canada breach, recently announced a campaign against internet providers; and on the day before the Orange breach tweeted, "Successful day hacking internet service providers is successful." Infosecurity has asked NullCrew if it was involved in the Orange breach, but has not so far had a response – nor has NullCrew made any indication of involvement.