Eurofiber France, a subsidiary of the Eurofiber Group, has confirmed a significant data breach discovered on November 13, 2025, and publicly disclosed on November 17, 20251. The incident occurred when a threat actor, operating under the alias “ByteToBreach,” exploited SQL injection vulnerabilities in an outdated GLPI (an open-source IT Service Management software) ticketing system4. The attacker successfully exfiltrated the entire GLPI database, which contained a trove of highly sensitive operational data belonging to Eurofiber’s French clients, including major corporations and government entities. The data was subsequently offered for sale on the dark web after alleged ransom negotiations with both Eurofiber and GLPI’s developer, Teclib, failed6. This breach is notable for its impact as a supply chain attack, potentially affecting an estimated 3,600 of Eurofiber’s French business customers, while customers in the Netherlands, Belgium, and Germany were not impacted2.
Technical Breakdown of the Attack Vector
The core of this breach was the exploitation of specific, known vulnerabilities within the GLPI ticketing system. Technical analysis from SOCRadar and Botcrawl identifies the flaws as CVE-2024-29889 and CVE-2025-24799, which affected GLPI versions 10.0.7 through 10.0.1446. The primary method of exploitation was a “slow, time-based SQL injection” attack. Unlike traditional SQL injection that returns data immediately, a time-based blind SQL injection forces the database to pause for a specified period before responding, allowing an attacker to infer information based on the response time. The threat actor used this technique to methodically extract data from the database. According to reports, the attacker leveraged approximately 20 Virtual Private Servers (VPS) distributed across Europe to conduct the exfiltration over a 10-day period, successfully obtaining around 10,000 password hashes4. This distributed approach can help evade simple IP-based blocking mechanisms.
Scope and Nature of the Exfiltrated Data
The data stolen in this incident is particularly severe due to its operational and infrastructural nature, going far beyond simple personal identifiable information (PII). The exfiltrated GLPI database contained support tickets and internal messages, which could reveal system weaknesses and internal security processes. More critically, the database included technical configuration files such as VPN configurations, SSH private keys, API keys, and cloud access tokens17. The presence of SQL backups and source code further compounds the risk, as it could facilitate the discovery of additional vulnerabilities within customer environments. Screenshots, ID scans, and detailed network architecture documents uploaded to the ticketing system by clients were also taken, providing a blueprint of corporate networks for future targeted attacks. It is important to note that no customer banking details were compromised in this breach3.
Broader Context of Supply Chain and Critical Infrastructure Attacks
The Eurofiber breach is not an isolated event but part of a disturbing trend of attacks targeting service providers to compromise their downstream clients. A recent, high-profile example is the cyberattack on Jaguar Land Rover in the UK, which is estimated to cost £1.9bn and has impacted 5,000 businesses within its supply chain, marking it as one of the most economically damaging cyber events in UK history8. Similarly, in Sweden, the state-owned power grid operator Svenska kraftnät confirmed a data breach claimed by the Everest ransomware gang, which threatened to leak 280 GB of data10. These incidents, alongside attacks on software company F5 and a supply chain campaign against Israeli IT providers reported by the National Cyber Directorate, highlight a strategic shift by threat actors towards exploiting centralized service platforms to achieve maximum disruption and financial gain912.
Relevance and Remediation for Security Professionals
For security teams, this incident serves as a critical case study in third-party risk management and the importance of rigorous patch management for all internet-facing systems, especially those handling sensitive operational data. The exploited GLPI vulnerabilities were known and had available patches, underscoring the consequences of delayed updates. Organizations using similar service management platforms should immediately verify that they are running patched versions and conduct audits of what sensitive data is stored within these systems. Monitoring for the exposure of specific data types like SSH keys and API tokens is essential; any exposed credentials must be rotated immediately and universally. Furthermore, implementing robust network segmentation can limit the “blast radius” if a service management platform is compromised, preventing lateral movement into core corporate networks from such an entry point.
The Eurofiber France breach exemplifies the severe repercussions of software supply chain compromises. By exploiting known vulnerabilities in a widely used ticketing system, a single threat actor was able to access a repository of data that could threaten the security posture of thousands of end-client organizations. This event reinforces the necessity for continuous vulnerability management, strict controls on the types of data stored in support systems, and a proactive approach to third-party risk assessment. As cyberattacks increasingly target the connective tissue between businesses, the security of shared platforms becomes a collective responsibility.
