Feeds

back to article Crafty French hackers tweak 'My Account' page, slurp 800,000 Orange users' details

Juicy personal data belonging to 800,000 Orange customers in France was siphoned off by hackers who attacked the company's "My Account" section of its website. The webpage on Orange.fr is used by subscribers to manage their accounts with the former French monopoly mobile operator. Orange confirmed to The Register that the …

COMMENTS

This topic is closed for new posts.
Silver badge

Clarification required

The article is slightly confusing about numbers here

1 : Is that 3% of 800 000 users therefore 24 000 accounts

or

2 : 800 000 is 3% of the total users therefore orange has 24 000 000 users.

I verified my own account and did not see any mention of the hacking.. Should I presume that I am safe, no, quick change of password just for the sake of it.

Why is it that the major operators/telcos and ISPs dont force a password change every 6 months for example.

0
4
Silver badge

Re: Clarification required

"Why is it that the major operators/telcos and ISPs dont force a password change every 6 months for example."

Because it is not very effective:

(1) people get fed up and re-use or write down passwords on sticky notes on their monitors (yes, really!) or use really lame passwords they can remember.

(2) With a random time-to-hack the miscreants still have an average of 3 months to do their stuff. Do you think it would any organised gang more than a couple of days to exploit it?

(3) Making people used to regular email reminders to change their password is one easy route to making phishing emails more believable.

6
0
Silver badge

Re: Clarification required

I wonder if they couldn't introduce a 3rd factor by using the NFC feature of newish phones or even something Bluetooth related?

0
0
Silver badge

Re: Clarification required

"I wonder if they couldn't introduce a 3rd factor by using the NFC feature of newish phones or even something Bluetooth related?"

Or even a text. However none of that adds much security when you're surfing from your phone.

Anyway, this sounds like twiddling the url enabled you to read somebody else's account details... No amount of multifactor authentication will fix that.

1
0
Silver badge

Presumably working practices don't suddenly magically change in a multinational from one part of the world to another, so how can we be certain that the same weaknesses didn't exist at some point in the UK based systems too? And might still exist if not dealt with properly?

0
0
Silver badge

I would imagine the orange.fr website dates from before France Telecom took over Orange and changed its own name to Orange.

0
0
Bronze badge

"never provide personal data . ."

To people who don't need it i.e. your phone company. Yes it's tedious but I have several birthdays every year.

1
0
Silver badge

"never provide personal data over email"

You mean, over the email address that you guys just leaked ?

Why, thanks for the suggestion. Now all the affected Orange customers need to do is reinforce their spam filter to face the veritable deluge they will no doubt be getting.

Yup, now is the perfect time to remind users of security measures THEY should be taking.

Well done, Orange.

2
0
Silver badge
FAIL

Your privacy....

....is not our priority.

2
0

Tweak page?

If all the "hacker" done was tweak a page to gain access to other users account details, I would say that Orange are just as guilty of leaking it's customer data. Don't worry, rather that take any responsibility for protecting customer data we will blame the "hacker".

It sounds like the Hacker done something "trivial" to gain access to other customers records, probably stumbled over it by accident.

0
0
Gav

Re: Tweak page?

Dear Orange,

Sorry, I accidentally stumbled into details 3% of your entire customer base. Tweaking a page at a time, that means I've been stumbling for 192 straight hours. This is all your fault, not mine. Mon Dieu, m'aider!

Yours exhausted,

Hacker.

3
0
This topic is closed for new posts.