The stolen data includes the customers' name, postal address, email address, phone number, and additional information about the composition of the household, the number of subscriptions household members have with Orange or competitors, and the customers' preference of how to be contacted.
The intrusion was terminated immediately after being detected, and the compromised web page - "My Account" in the client area of the Orange.fr website - taken offline for a while.
The company says that passwords haven't been compromised, but warns users that the information that was stolen is very useful for mounting phishing attacks. They explained why a phishing attack is, and urged affected customers to be on the lookout for them coming via email, SMS or telephone.
PC INpact (via Google Translate) reported that all French customers and not just the ones affected by the breach have already received a phishing warning around January 23, but that one didn't mention the intrusion.
The authorities have been notified of the breach and are investigating it, but no more details about how it was executed were shared.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.