Cyber Incident Victim: Orange România
Date:
Oct 2025
Location:
Romania
Summary
A hacker known as Rey, linked to the HellCat ransomware group, claimed responsibility for infiltrating Orange România’s systems using compromised credentials and Jira vulnerabilities, maintaining access for over a month before extracting data in a three‑hour window. The breach exposed approximately 380,000 unique email addresses of current and former employees, partners, contractors, and Yoxo subscription customers, plus internal documents, source code, invoices, contracts and partial payment‑card details, many already expired. The attacker left a ransom note on the compromised system, but the company did not engage in negotiation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On February 1, 2025, media reports identified a cyberattack against Orange Romania. The attacker, known by the pseudonym “Rey”, claimed responsibility for the intrusion. Rey stated that he is associated with the HellCat ransomware group but emphasized that the operation was not part of a HellCat ransomware campaign. He said he gained initial access to Orange’s systems through a combination of compromised credentials and a vulnerability in the company’s Jira issue‑tracking platform. After obtaining entry, Rey maintained persistent access to the Orange network for more than one month before initiating data exfiltration.
The exfiltration phase lasted approximately three hours and was conducted without triggering any detection alerts noted in the source. Rey reported that he extracted roughly 380,000 unique email addresses belonging to Orange Romania. The stolen dataset also included internal company documents, source code repositories, invoices, contracts, and partial payment‑card details linked to Romanian customers. Email addresses of current and former employees, partners, and contractors were present in the leaked material. In addition, customer data from Yoxo, Orange’s no‑contract subscription service, were included in the breach.
Some of the email addresses belonged to individuals who had not been Orange Romania customers for over five years, and many of the exposed payment‑card details had already expired. Rey placed a ransom note on the compromised system after the data theft, but Orange Romania did not initiate any negotiation with the attacker. He further claimed that he had attempted to extort the French parent company, which did not respond, leading him to publish the stolen data on a hacker forum. The public disclosure of the data exposed personal and corporate information, increasing the risk of identity theft and fraud for affected individuals. No further details regarding containment, remediation, or official statements from Orange Romania were provided in the source material.