Hacker claims to have data linked to 19 million French mobile and internet customers

Free, the second largest internet service provider (ISP) and telephone operator in France, has recently confirmed it was the victim of a major breach.

The company, which is believed to have over 20 million customers, notified France’s cyber agency over the weekend, stating that threat actors targeted a management tool which was used to exfiltrate user data.

Free clarified that no passwords, bank cards, or communications were impacted during the attack, adding that there was no operational impact on its services.

A listing posted to an underground criminal forum on 21 October claimed to have two databases belonging to Free available for sale, and dated the access back to 17 October.

The threat actor claimed one of these databases contained information relating to 19.2 million customers, stating the breach affects all Free Mobile and Freebox customers.

“Today, I’m selling the database of the French-based ISP “Free SAS”. The data breach affects 19.2 million customers and contains over 5.11 million IBAN numbers.”

The hacker also provided a sample archive of some of the data it claims to be selling, including the database headers revealing some of the personal data included in the breach.

The screenshot of the 43.6GB JSON database allegedly exfiltrated from Free includes names, email addresses, address, date of birth, mobile number, as well as their Free customer information.

Prominent French cyber evangelist and self dubbed ‘nice hacker’ SaxX, posted details of the listing on X, noting that the lister’s account had only been created one day before the post was made.

SaxX warned the threat actor’s claims should be taken with a pinch of salt before the authenticity of the stolen data is confirmed, adding that hackers are increasingly using AI to generate fake leak data.

Free urges customers to stay wary

Free has not confirmed the number of customers whose data has been affected by the incident, but told Agence France-Presse (AFP) it would be notifying affected subscribers via email.

The firm added that “all necessary measures have been taken immediately to put an end to this attack and strengthen the protection of our information systems.”

Free has downplayed the danger the leaked financial information poses to customers claiming the stolen IBAN numbers would not be enough for malicious actors to withdraw money from customer accounts.

Nonetheless, customers should remain alert to potential attacks using any of the compromised personal data, the company added, stressing that individuals linked to the breach may be targeted with phishing attacks in the future.

SFR, the third-largest telecommunications company in France was another recent victim of a major data breach, which exposed sensitive customer information such as names, email addresses, addresses, phone numbers, according to an email sent to customers on 19 September 2024.

SFR said it had taken the necessary steps to resolve the issue, but similarly urged customers to remain wary about potential fraud attempts using their information.