Xacria XNO Allegedly Breached: 446 Service Orders and Subscriber PII Exposed From the Italian Carrier-Grade Telecom Network Orchestration Platform Used by FASTWEB and SKY ITALIA
Xacria XNO network orchestration platform breached; 446 service orders and subscriber PII exposed.
Summary
A threat actor claims to have compromised Xacria XNO, a carrier-grade network orchestration platform used by Italian telecom operators including FASTWEB and SKY ITALIA. The breach exposes 446 service orders, subscriber PII (account numbers, IMSI, MSISDN, MAC addresses, IPs), mobile provisioning records, enterprise circuit data with router CLI commands, and hardcoded security tokens reused across webhook integrations. The compromised data spans fiber broadband (FTTH/GPON), mobile broadband, and enterprise EVPN services across Tier 1, 2, and 3 operators.
Full text
Breach Report · Italy Xacria XNO Allegedly Breached: 446 Service Orders and Subscriber PII Exposed From the Italian Carrier-Grade Telecom Network Orchestration Platform Used by FASTWEB and SKY ITALIA A threat actor claims to have breached Xacria XNO (Xacria Network Orchestrator), a carrier-grade, cloud-native network orchestration platform used by Tier 1, 2, and 3 telecommunications operators in Italy for zero-touch provisioning and automation of fiber broadband, mobile, and enterprise network services. The actor states the dump includes 446 service orders, full subscriber PII, mobile provisioning records, enterprise circuit data including router CLI commands, and hardcoded security tokens reused across all webhook integrations. Post details Actor(s)[Citizen] cc5ab SectorTelecommunications / Network Orchestration TypeData Breach Records446 service orders plus subscriber PII CountryItaly Date14/05/2026 Compromised data 446 service orders spanning fiber broadband (FTTH/GPON), mobile broadband (MBB), and enterprise EVPN circuits for operators including FASTWEB and SKY ITALIA Subscriber PII including customer account numbers, IMSI identifiers, MSISDN phone numbers (Italian +39 prefix), MAC addresses, and assigned IP addresses Mobile subscriber provisioning records with prepaid charging profiles, 5G NSA/SA service status, data quotas, traffic shaping policies, and international roaming configuration Enterprise circuit data with VDSL access technology, QoS profiles, VLAN assignments, pseudowire IDs, and complete router CLI commands for Cisco IOS-XR, Huawei NE40E, Juniper MX960, and ZTE platforms Hardcoded security token (value redacted) reused across all webhook integrations to the XFlow workflow engine Screenshots 01 Want the non-blurred screenshots? Subscribe and check out the threat feed section. darkwebinformer.com/pricing
Indicators of Compromise
- malware — Citizen