Crafty French hackers tweak 'My Account' page, slurp 800,000 Orange users' details Juicy personal data belonging to 800,000 Orange customers in France was siphoned off by hackers who attacked the company's "My Account" section of its website. The webpage on Orange.fr is used by subscribers to manage their accounts with the former French monopoly mobile operator. Orange confirmed to The Register that the …
The article is slightly confusing about numbers here
1 : Is that 3% of 800 000 users therefore 24 000 accounts
or
2 : 800 000 is 3% of the total users therefore orange has 24 000 000 users.
I verified my own account and did not see any mention of the hacking.. Should I presume that I am safe, no, quick change of password just for the sake of it.
Why is it that the major operators/telcos and ISPs dont force a password change every 6 months for example.
"Why is it that the major operators/telcos and ISPs dont force a password change every 6 months for example."
Because it is not very effective:
(1) people get fed up and re-use or write down passwords on sticky notes on their monitors (yes, really!) or use really lame passwords they can remember.
(2) With a random time-to-hack the miscreants still have an average of 3 months to do their stuff. Do you think it would any organised gang more than a couple of days to exploit it?
(3) Making people used to regular email reminders to change their password is one easy route to making phishing emails more believable.
"I wonder if they couldn't introduce a 3rd factor by using the NFC feature of newish phones or even something Bluetooth related?"
Or even a text. However none of that adds much security when you're surfing from your phone.
Anyway, this sounds like twiddling the url enabled you to read somebody else's account details... No amount of multifactor authentication will fix that.
You mean, over the email address that you guys just leaked ?
Why, thanks for the suggestion. Now all the affected Orange customers need to do is reinforce their spam filter to face the veritable deluge they will no doubt be getting.
Yup, now is the perfect time to remind users of security measures THEY should be taking.
Well done, Orange.
If all the "hacker" done was tweak a page to gain access to other users account details, I would say that Orange are just as guilty of leaking it's customer data. Don't worry, rather that take any responsibility for protecting customer data we will blame the "hacker".
It sounds like the Hacker done something "trivial" to gain access to other customers records, probably stumbled over it by accident.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
