One of the largest internet providers in France, Free S.A.S, has confirmed that it recently suffered a cybersecurity breach after a hacker attempted to sell what purported to be stolen data from the organisation on the dark web.
Free told Le Monde that personal data related to some customers had indeed compromised after an attacker targeted a management tool.
[embed lemonde-article.jpeg]
However, according to the firm, no passwords, bank card information, or the contents of communications (emails, SMS, or voicemails) were compromised by the attack.
Furthermore, Free says that its services have not been impacted by the incident.
Nonetheless, the hacker (who calls themselves "drussellx") posted a message on a dark web cybercrime forum offering up for auction two databases stolen from Free - containing details of over 19 million customer accounts, and over five million IBAN details.
Free has been keen to downplay the significance of the leak of the IBAN details, saying that it is "not enough to make a direct debit from a bank."
According to the hacker, the data being offered for sale was exfiltrated on 17 October 2024, and contains the names, telephone numbers, email and postal addresses, and dates of birth of Free customers.
Free, which claims to have over 22 million subscribers, has not confirmed how many customers have been impacted by the data breach.
Concerned Free users would be wise to take steps to better defend themselves from exploitation. These include:
Free says that it has contacted the authorities and regulators about the security breach, and that it will be informing affected customers via email in the coming days.