Leak at Companie de Transport Strasbourgeoise
In November 2024, the Compagnie des Transports Strasbourgeois (CTS) — Strasbourg's public transport operator — detected fraudulent logins to about 100 of its roughly 350,000 customer accounts via a credential-stuffing attack reusing passwords stolen in unrelated breaches.
- Victim
- Companie de Transport Strasbourgeoise
On 21 November 2024, the Compagnie des Transports Strasbourgeois (CTS) — the public transport operator for Strasbourg and its metropolitan area — emailed its entire customer base to warn that around one hundred customer accounts had been subject to abnormal access, which it had detected the same day.
The intrusions were the result of a credential-stuffing attack rather than a compromise of CTS systems. Usernames and passwords had been stolen in earlier, unrelated data breaches affecting other websites; because some customers had reused those same credentials for their CTS account, attackers were able to log in to the affected accounts. The breach therefore did not originate from CTS's own infrastructure.
The scope of exposure was limited. Roughly 100 of CTS's approximately 350,000 customer accounts were affected, and CTS stated that no banking details or identity documents were stored on its servers. The data potentially accessible was confined to customer-account information held in the affected profiles, such as:
- Contact and account-profile details
- Travel-pass / customer-account information
CTS notified all customers, advised affected users to change reused passwords, and pointed customers to France's official Cybermalveillance victim-assistance service. The incident was detected and contained quickly, with no evidence of a wider compromise of CTS infrastructure.
Sources
- france3-regions.franceinfo.frhttps://france3-regions.franceinfo.fr/grand-est/bas-rhin/strasbourg-0/fuite-de-donnees-des-comptes-clients-de-la-compagnie-des-transports-strasbourgeois-vises-par-des-acces-frauduleux-3065767.html