Cyber Incident Victim: Orange România
Date:
Nov 2025
Location:
Romania
Summary
Orange România was targeted by a hacker known as Rey, who claimed affiliation with the HellCat ransomware group and said he gained entry through compromised credentials and vulnerabilities in the company’s Jira issue‑tracking system, maintaining access for over a month before extracting data during a three‑hour window. The breach exposed approximately 380 000 unique email addresses belonging to current and former employees, partners, contractors and customers, along with internal documents, source code, invoices, contracts and partial payment‑card details, some of which had already expired, and included information from the Yoxo subscription service. Rey left a ransom note on the compromised systems but reported that the company did not respond, and the stolen data were later posted on a hacker forum.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
A hacker known as “Rey,” who is associated with the HellCat ransomware group, claimed responsibility for infiltrating the systems of the French telecommunications company Orange, specifically affecting its Romanian operations. According to Rey, the breach was achieved through a combination of compromised credentials and a vulnerability in the company’s Jira issue‑tracking software. He stated that he maintained access to Orange’s systems for more than one month before extracting data over a three‑hour period without being detected. During the intrusion, Rey left a ransom note on the compromised system, but Orange did not initiate any negotiation in response to the note. After the lack of response, Rey disclosed that he attempted extortion and subsequently released the stolen data on a hacker forum.
The data allegedly taken primarily concerns Orange Romania and includes approximately 380,000 unique email addresses, internal company documents, and customer information. Samples of the exposed data contain email addresses belonging to current and former employees, partners, and contractors, as well as source code, invoices, contracts, and partial payment‑card details linked to Romanian customers. Some of the email addresses correspond to individuals who have not been Orange Romania customers for over five years, and many of the exposed payment‑card details have already expired. Rey also confirmed that the breach encompassed the personal data of customers subscribed to Yoxo, Orange’s no‑contract service. The stolen information was made publicly available on the hacker forum where Rey posted the leak.
The incident resulted in the exposure of a substantial volume of Orange Romania’s internal and customer‑related data, including email addresses, corporate documents, and partial financial details. Orange did not engage in any negotiation following the ransom note left by the attacker, and no further response actions such as public statements, containment measures, or remediation steps are described in the source material. The leaked data remains accessible on the hacker forum, constituting the documented consequence of the cyberattack.