Eurofiber France reports data breach exposing data of 3,600+ organizations
Take action: If you are a user of Eurofiber, time to reset ALL credentials related to your Eurofiber hosting. And start a very deep internal audit, since your credentials may have already been compromised and used to breach your organization.
Learn More
Eurofiber France, a major fiber optic infrastructure provider operating over 76,000 kilometers of network and 11 data centers across Europe, is reporting a data breach discovered on November 13, 2025, affecting its internal ticket management system and ATE customer portal.
The company reports that attackers exploited SQL injection vulnerabilities in outdated GLPI IT asset management software. The exploited vulnerabilities are CVE-2024-29889 and CVE-2025-24799 to gain access to infrastructure data over an extended period.
Threat actor "ByteToBreach" claims to have stolen the entire GLPI database containing operational secrets and privileged access credentials for thousands of government agencies, defense contractors, and multinational corporations across France and Europe.
The attackers rented approximately 20 virtual private servers hosted across France, Belgium, Germany, and the Netherlands to parallelize the extraction process, spending roughly 10 days to steal approximately 10,000 password hashes at a rate of 14 minutes per bcrypt hash. The attackers gained administrative API keys and application secrets that allowed access to documents, internal messages, and infrastructure configuration files.
The compromised data includes:
- SSH private keys for managing production servers
- VPN configuration files for internal and client systems
- Authentication tokens and session credentials
- Internal API keys and application secrets
- SQL database backups containing historical data
- Source code repositories
- Complete ticket history and support communications
- Service configuration details
- Cloud access credentials and infrastructure documentation
- Identity documents and personal credentials
- Sensitive client communications and contracts
External cybersecurity researchers and dark web monitoring services, including International Cyber Digest and SOCRadar, report that approximately 3,600 customers may be affected by the breach. Eurofiber has not officially confirmed this figure.
The partial victim list leaked by ByteToBreach includes some of Europe's most critical infrastructure operators and sensitive organizations:
- Airbus,
- Thales,
- Orange Telecom,
- SFR Telecom,
- TotalEnergies,
- Engie,
- Suez,
- French National Railway (SNCF),
- Colt Technology,
- French Ministry of Interior,
- French Ministry of Sustainable Development,
- AXA Group,
- BPCE Group (major French bank),
- Banque Misr,
- Accenture,
- CGI Group.
Eurofiber France emphasizes that the breach was confined exclusively to French operations, and customers in Belgium, Germany, and the Netherlands are not affected.
The company notified all affected customers immediately after detection and has committed to providing transparent updates as the investigation progresses.
Security experts warn that the exposure of SSH keys, VPN configurations, and API credentials creates catastrophic supply chain risk, as these privileged secrets can grant adversaries trusted, administrative access to bypass all perimeter defenses and gain persistent, undocumented access to core infrastructure across thousands of organizations.
Affected organizations are urgently advised to rotate all credentials that may have been documented in Eurofiber support tickets, conduct internal threat hunting for indicators of compromise, and implement multi-factor authentication for all privileged access.
