Eurofiber Breach Exposes Critical Infrastructure Data Across Europe – What You Need to Know

A major supply chain breach has surfaced at Eurofiber, a core digital infrastructure provider serving thousands of public and private-sector organizations across Europe. A threat actor known as ByteToBreach claims to have exfiltrated Eurofiber’s entire GLPI service-management database, including operational secrets and customer-related data that could provide direct access into connected networks.

Because Eurofiber underpins connectivity, cloud, and critical services for high-profile entities, the incident raises urgent questions for security teams across multiple sectors.

In this blog post, we explain what happened, how the breach was carried out, who appears to be affected, and what organizations should do next.

What Happened?

Eurofiber experienced a breach of its GLPI IT service management platform, a core system used to manage IT assets, support tickets, configuration details, and customer environments. According to the attacker’s claims, they obtained a full copy of this database.

The stolen dataset reportedly includes support tickets, internal messages, configuration files, and various credentials and keys tied to Eurofiber’s operations and its customers. Because GLPI sits at the center of how Eurofiber supports and connects its clients, a compromise of this system turns a single-platform incident into a supply chain risk for thousands of organizations.

What Was Initially Discovered About the Eurofiber Breach?

On November 14, 2025, SOCRadar’s Advanced Dark Web Monitoring detected a post on an underground forum, where the threat actor claimed access to Eurofiber’s GLPI environment and shared sample hashes and data.

This initial detection indicated that Eurofiber’s service-management system was involved in a significant compromise, although the full scope and impact were not yet clear and there was no public communication from Eurofiber or GLPI’s maintainer, Teclib.

Who Is the Threat Actor Behind the Eurofiber Breach?

As mentioned, ByteToBreach is the threat actor claiming responsibility for the incident. Although not widely known before this event, their activity on Dark Web forums suggests a technically capable individual focused on exploiting vulnerable enterprise systems. The attacker operates independently, leveraging multiple VPS resources across Europe to extract data systematically.

What Motivated the Threat Actor?

ByteToBreach has no extensive public history, and their communications indicate:

• Initial intent to negotiate privately.
• Escalation to public sale after Eurofiber did not respond.

Although the attacker’s motives appear financially driven, the nature of the compromised data could attract threat actors with additional strategic interests.

How Did the Attacker Claim to Execute the Breach?

According to International Cyber Digest, ByteToBreach described the intrusion in several stages:

• A vulnerable GLPI version exposed a SQL injection opportunity.
• Each bcrypt hash extraction took approximately 14 minutes.
• They rented 20 VPS hosted in France, Belgium, Germany, and the Netherlands to parallelize the attack.
• The threat actor reports extracting roughly 10,000 password hashes over about 10 days.
• Administrative API keys and application secrets allowed retrieval of documents, messages, and infrastructure files.

These details suggest a slow but persistent exfiltration process typical of time-based SQL injection methods.

How Did Eurofiber’s GLPI Platform Become a Target?

Several factors appear to have made Eurofiber’s GLPI platform an attractive entry point rather than just another internal tool:

• The GLPI instance was reportedly running an outdated version (10.0.7 – 10.0.14) affected by SQL injection issues.
• GLPI exposed a web interface that was reachable to the attacker, despite being viewed as an “internal” system.
• The platform held high‑value assets such as credentials, configuration files, and infrastructure details.
• Security and monitoring efforts typically focus on public-facing services, leaving ITSM platforms with fewer protections and slower patch cycles.

In combination, these conditions turned GLPI into a high‑privilege, high‑payoff target, where a single successful exploit could open pathways into many connected environments.

To reduce this kind of blind spot, solutions like SOCRadar XTI can help organizations maintain an up‑to‑date map of their digital footprint, discover exposed services, and prioritize remediation based on associated vulnerabilities and threat activity.

What Types of Data Were Allegedly Exposed?

The Eurofiber breach reportedly includes sensitive operational materials rather than simple identity data. The attacker claims to possess:

• SSH private keys for server administration
• VPN configurations for internal and customer environments
• API keys and cloud access tokens
• SQL backups containing configuration data
• Source code and internal scripts
• Support tickets, attachments, and internal messages
• ID scans, screenshots, and documentation
• Network inventories and architecture details

Why Is This Data Particularly Dangerous?

The exposed content can enable attackers to:

• Authenticate directly to production systems
• Move laterally through internal networks
• Impersonate Eurofiber personnel
• Maintain long-term access using trusted channels
• Map out client infrastructures for future intrusion attempts

Unlike password leaks, stolen keys and configurations can provide access paths that bypass many traditional detection mechanisms.

Which Organizations Appear to Be Affected?

More than 3,600 organizations rely on Eurofiber’s compromised GLPI environment. Early review of the affected domain list shows:

• Airbus
• Multiple French government ministries
• Thales
• Orange & SFR Telecom
• Engie & TotalEnergies
• AXA Group & BPCE Group
• Sanofi
• Consulting firms including Accenture and CGI
• Colt Technology
• SNCF (French national railway)
• Microsoft
• BASF
• Universities, hospitals, and major retailers such as Auchan, Decathlon, Fnac, and Boulanger

These organizations represent essential sectors including defense, telecom, energy, finance, healthcare, and retail.

What Are the Potential Risks for Impacted Clients?

Organizations should treat this as a credential and infrastructure compromise. Potential risks include:

• Unauthorized server access via stolen SSH keys
• Remote entry through exposed VPN profiles
• Abuse of cloud services via leaked API tokens
• Targeted intrusions informed by internal ticket discussions
• Reconnaissance using disclosed architecture data

Attackers may replicate trusted Eurofiber access pathways, making detection more difficult.

How Did Eurofiber Respond to the Security Incident?

Eurofiber has released an official notice confirming that a cybersecurity incident occurred on November 13, 2025, affecting its ticket management platform and the ATE customer portal used by Eurofiber France and its regional brands Eurafibre, FullSave, Netiwan, and Avelia.

The company says attackers exploited a software vulnerability, accessed data stored in these systems, and attempted extortion.

According to Eurofiber, the impact is limited to customers in France and those using the ATE portal within the Eurofiber Cloud Infra France division. Clients in Belgium, Germany, and the Netherlands were not affected, as they operate on separate platforms.

Following detection, Eurofiber secured the affected systems, patched the vulnerability, and applied additional protections. The company states that bank details and critical information in other environments were not accessed, and all services continued operating normally throughout the event. Eurofiber also reports that it has notified impacted customers, is providing ongoing support, and has complied with reporting obligations by informing the CNIL, ANSSI, and filing an extortion complaint.

Eurofiber has not disclosed technical details about the exploited vulnerability or the number of affected customers in their statement.

What Immediate Actions Should Organizations Take?

Affected entities should prioritize:

• Rotating all SSH keys.
• Replacing VPN configurations and certificates.
• Regenerating API keys, tokens, and cloud credentials.
• Reviewing authentication logs for suspicious activity.
• Searching ticket systems for previously shared credentials.
• Conducting endpoint and network scans.

Due to the supply chain nature of the incident, organizations should assess any dependency on Eurofiber-linked access channels.

For third-party dependencies, SOCRadar’s Supply Chain Intelligence module can surface incidents and leaked data involving key service providers, helping teams quickly understand whether a vendor breach, such as Eurofiber’s, could have downstream impact.

Conclusion

The Eurofiber incident shows how a single compromised service‑management platform that stores credentials, configurations, and operational data can create long‑term risk for thousands of organizations at once. Reducing that risk depends on patching internal tools as rigorously as internet‑facing services, keeping secrets out of ticketing systems, and regularly reassessing the access given to suppliers and service providers.

Complementing these efforts with dedicated visibility – through SOCRadar XTI for mapping exposed assets and SOCRadar’s Supply Chain Intelligence module for tracking incidents involving key vendors – can help organizations spot similar exposures earlier and respond more confidently.