European fiber optic network operator Eurofiber over the weekend announced that a threat actor has compromised its ticket management platform and the ATE customer portal.
The incident, the company says, occurred on November 13 and resulted in a data breach. The hackers exploited a vulnerability that allowed them to exfiltrate data stored on the affected platforms.
The impacted ticket management platform is used by Eurofiber France and its regional brands Avelia, Eurafibre, FullSave, and Netiwan. The ATE customer portal is used by Eurofiber Cloud Infra France, which is Eurofiber France’s cloud division.
According to the company, the data breach affected only customers of Eurofiber France and its subsidiaries, and did not impact Eurofiber customers in Belgium, Germany, or the Netherlands.
“For indirect sales and wholesale partners in France, the impact is very limited, as most use separate systems,” Eurofiber said in an incident notice on its website.
Immediately after detecting the incident, the company secured the ticketing platform and the ATE portal and patched the vulnerability. It also implemented additional measures to strengthen system security.
“Sensitive information such as banking details or critical data stored in other systems is not affected by this incident. Services remained fully operational throughout the attack and were not affected by the attacker,” the company said.
In addition to notifying customers of the attack, the network operator reported the incident to the relevant authorities and filed “a report for extortion”.
Responding to a SecurityWeek inquiry, Eurofiber refrained from providing details on the types of exfiltrated information, the number of impacted individuals, the threat actor behind the attack, or the extortion attempt.
According to SOCRadar, the hackers breached Eurofiber’s GLPI IT service management platform, which is used to manage IT assets, configuration details, and customer environments, in addition to support tickets.
The threat actor allegedly accessed information included in support tickets, as well as internal messages, configuration files, VPN configurations, credentials, API keys, tokens, SQL backups, source code, screenshots, and various internal documents.
Overall, roughly 10,000 Eurofiber customers appear to have been affected, including government entities. A threat actor named ByteToBreach has claimed the attack on an underground forum.
The attacker reportedly exploited an SQL injection bug in the web-accessible GLPI interface and was able to extract roughly 10,000 password hashes over a 10-day window. They also claim to have used API keys and other secrets to steal documents, configuration files, and messages.
Related: DoorDash Says Personal Information Stolen in Data Breach
Related: Logitech Confirms Data Breach Following Designation as Oracle Hack Victim
Related: Checkout.com Discloses Data Breach After Extortion Attempt
Related: Automotive IT Firm Hyundai AutoEver Discloses Data Breach
