Eurofiber, a provider of B2B digital infrastructure services, detected a cybersecurity incident on November 13, 2025, which exclusively affected its operations in France and its local subsidiaries—Avelia, Eurafibre, FullSave, and Netiwan. This breach did not impact customers in Belgium, Germany, or the Netherlands. The incident involved the exploitation of a software vulnerability in the ticket management platform used by Eurofiber France, as well as the ATE customer portal belonging to Eurofiber Cloud Infra France. This vulnerability was leveraged by a malicious actor to exfiltrate data from these platforms, which was followed by an extortion attempt. The company immediately secured the affected systems, patched the vulnerability, and implemented enhanced protections to mitigate the damage.
The breached systems are distinct from Eurofiber’s core network and critical infrastructure. The company emphasized that while data was stolen, the attack did not touch bank details or other critical data stored in its primary systems, and all services remained fully operational throughout the incident. Eurofiber’s initial assessment suggested a minimal impact on indirect and wholesale partners in France, as many utilize separate systems. Upon detecting the breach, Eurofiber France promptly notified its customers, the CNIL (French Data Protection Authority), and the ANSSI (French National Cybersecurity Agency), and also filed a formal complaint for extortion.
However, the full scope of the breach remains under investigation. While Eurofiber has not released technical details or the exact number of impacted individuals, external analysis suggests the stolen information may be far more sensitive than simple identity data. Researchers from SOCRadar located a post on a cybercrime forum that announced the hack and included a sample of the alleged stolen data. According to the attacker’s claims, the exfiltrated materials may be highly sensitive and operational in nature.
The list of potentially compromised data includes items crucial for system administration and security. Specifically, the threat actor claims to possess SSH private keys for server administration, VPN configurations for both internal and customer environments, API keys and cloud access tokens, and SQL backups containing configuration data. Furthermore, they assert possession of source code, internal scripts, support tickets with attachments and internal messages, ID scans, and detailed network inventories and architecture details. If verified, the theft of these operational materials poses a much greater risk than a typical identity data breach.
Eurofiber’s teams and external cybersecurity experts are currently mobilized to assist clients in managing the effects of the incident, providing ongoing, case-by-case communication as the situation develops. The company has reaffirmed its commitment to data protection, cybersecurity, and transparency, ensuring its full mobilization until the matter is completely resolved.
Reference:
