Orange Group, a leading French telecommunications provider, has confirmed a major cybersecurity breach affecting its Romanian operations. The attack, orchestrated by a hacker using the alias “Rey,” has exposed thousands of sensitive internal documents, raising serious concerns about Orange’s security infrastructure and data protection measures.

Rey, reportedly affiliated with the HellCat ransomware group, infiltrated Orange Romania’s systems, gaining undetected access for over a month before exfiltrating massive amounts of data. On February 25, 2025, the hacker leaked 12,000 files (6.5GB of data) onto a dark web forum, making them freely available to cybercriminals and threat actors.

What Data Was Stolen?

The breach resulted in the compromise of:

• 380,000 unique email addresses, including corporate and customer accounts.
• Source code and proprietary internal software.
• Confidential invoices and contracts.
• Employee records, including sensitive internal documents.
• Partial payment card details (though many appear outdated or expired).

How Did the Hacker Exploit Orange’s Weaknesses?

Investigators discovered that Rey exploited unpatched vulnerabilities in Orange’s Jira issue-tracking software and internal portals. This breach was made possible by stolen credentials, highlighting Orange’s failure to enforce stronger authentication policies and proactive monitoring. Rey maintained access for over a month, exfiltrating data within a short three-hour window.

Despite Rey’s affiliation with the HellCat ransomware group, this attack did not involve ransomware encryption. Instead, it appears to be a targeted data theft operation, exposing critical flaws in Orange’s access management and network security.

Orange’s Response and Security Oversight

Orange Group has confirmed the breach and stated that the affected system was a non-critical back-office application. However, cybersecurity experts warn that while the stolen payment card details may be outdated, the exposure of internal documents, proprietary software, and email addresses could lead to phishing attacks, corporate espionage, and further breaches.

The company has launched an internal investigation, working with cybersecurity specialists to assess the impact and mitigate further risks. However, Orange’s lack of a robust threat detection system allowed this intrusion to persist for over a month, a critical failure that leaves its cybersecurity preparedness in question.

A Second Attack – Further Exposing Orange’s Weak Security Practices

Shockingly, on the same day as the Romania breach, Orange Spain experienced a separate cyberattack. This attack was executed by a hacker known as “Snow”, who hijacked Orange Spain’s RIPE NCC account (a European internet registry).

Using a weak password (“ripeadmin”) and a lack of Multi-Factor Authentication (MFA), Snow gained access to critical network infrastructure, manipulating BGP (Border Gateway Protocol) and RPKI (Resource Public Key Infrastructure) settings. This led to a three-hour outage, disrupting internet traffic and potentially exposing sensitive network data.

Investigators traced the breach to stolen corporate credentials, which had been compromised via an infostealer malware infection (Raccoon Stealer) in September 2023. The lack of an MFA requirement and reliance on outdated password policies allowed this breach to escalate, demonstrating yet another gap in Orange’s security protocols.

Key Takeaways: Orange’s Systemic Security Failures

The twin breaches at Orange highlight serious security weaknesses that the company must address immediately:

• Failure to patch known vulnerabilities – Jira software flaws enabled unauthorized access for over a month.
• Weak authentication protocols – A lack of MFA contributed to the Spain breach and increased exposure risk.
• Poor credential management – Weak passwords and outdated security measures enabled cybercriminals to hijack accounts.
• Ineffective monitoring and response – Orange did not detect the breaches in time, allowing prolonged unauthorized access.

What Orange Group Needs to Do Now

These breaches should serve as a wake-up call for Orange’s cybersecurity leadership. Immediate actions the company must take include:

1. Enforcing Multi-Factor Authentication (MFA) across all corporate accounts and internal systems.
2. Strengthening password policies to eliminate weak, easily guessable credentials.
3. Implementing real-time threat detection to identify unauthorized access before damage occurs.
4. Patching vulnerabilities in software and infrastructure as soon as security updates are available.
5. Enhancing internal cybersecurity training to ensure employees recognize and mitigate risks associated with credential theft and phishing attempts.

To Sum Up: The Cost of Inaction

Orange Group’s failure to prevent these breaches highlights deep-rooted security flaws that demand urgent attention. If a telecom giant with vast resources can suffer such prolonged cyberattacks, it raises serious questions about its ability to protect customer and corporate data in the future.

For Orange, addressing these security gaps is no longer optional—it is a necessity to prevent further reputational and financial damage. The real question is: Will Orange take action before another breach occurs?

References

Orange Group Confirms Breach After Hacker Leaks Company Documents

Orange Group Breach – HellCat Hacker Exposes Sensitive Data