Eurofiber says hackers exploited a flaw on November 13, breached its ticket and customer portals, stole data, and attempted extortion.
On November 13, threat actors exploited a vulnerability to breach its ticketing system and ATE customer portal of the European fiber operator Eurofiber. Attackers stole data and attempted extortion.
Eurofiber focuses on B2B digital infrastructure, unlike consumer-oriented providers such as Orange or Bouygues. Its latest annual revenue reached €308M, while Orange made €9.9B in Q3 2025 alone.
The breached ticketing platform is used by Eurofiber France and its brands Avelia, Eurafibre, FullSave, and Netiwan, while the ATE portal serves Eurofiber Cloud Infra France. The company says the data breach affected only customers in France and its subsidiaries, with no impact on clients in Belgium, Germany, or the Netherlands.
“Eurofiber France announces that a cybersecurity incident was detected on November 13 ,2025. It concerns the ticket management platform used by Eurofiber France and its regional brands (Eurafibre, FullSave, Netiwan, Avelia), as well as the ATE customer portal, which corresponds to Eurofiber France’s cloud division operating under the Eurofiber Cloud Infra France brand.” reads a notice published by the company. “A software vulnerability in this platform was exploited by a malicious actor, resulting in the exfiltration of data related to these platforms.”
The company downplays the incident, saying that the impact on indirect and wholesale partners in France is minimal since most use separate systems. After detecting the breach, it secured the ticketing platform and ATE portal, patched the vulnerability, and added further protections. Teams and cybersecurity experts are now helping clients manage the incident’s effects.
The attack did not touch bank details or critical data in other systems, and all services stayed fully operational. Eurofiber immediately notified customers when it detected the incident and will continue to update them as the situation evolves, providing regular, case-by-case communication.
“In accordance with legal obligations, Eurofiber France reported the incident to the CNIL (French Data Protection Authority under the GDPR), notified the ANSSI (French National Cybersecurity Agency), and filed a complaint for extortion.” concludes the notice. “We reaffirm our commitment to data protection, cybersecurity, and transparency. Our teams remain fully mobilized until the incident is completely resolved.”
The company did not provide technical details about the attack, it is unclear the exact number of impacted individuals.
On November 14, 2025, SOCRadar researchers found a post on a cybercrime forum announcing the hack of the Eurofiber’s GLPI environment. Threat actors also published a sample of the alleged stolen data.
SocRadar states that stolen data may include sensitive operational materials rather than simple identity data. The attacker claims to possess:
- SSH private keys for server administration
- VPN configurations for internal and customer environments
- API keys and cloud access tokens
- SQL backups containing configuration data
- Source code and internal scripts
- Support tickets, attachments, and internal messages
- ID scans, screenshots, and documentation
- Network inventories and architecture details
According to International Cyber Digest, the attackers used a GLPI SQL injection to pull ~10k bcrypt hashes in 10 days, spinning up 20 EU VPS to speed extraction and grab admin keys and files.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
