Free has confirmed a massive hack, with the theft of the personal data of millions of subscribers, including IBANs. Enough to allow fraudulent withdrawals from bank accounts.

Free has confirmed a massive hack, with the theft of the personal data of millions of subscribers, including IBANs. Enough to allow fraudulent withdrawals from bank accounts.

It never ends! For several weeks now, French companies and organizations have been victims of serial hacking, which results in the theft of personal data of customers and users. Boulanger, Truffaut, Cultura, SFR, Retirement Insurance and Meilleurtaux… It’s a real massacre! Mobile operators are not spared. They are indeed particularly attractive targets for cybercriminals, due to the colossal amount of personal information they have on their subscribers. And the hacking that Free has just recognized at the end of October 2024 could well go down in history for its scale and its consequences.

Xavier Niel’s company already paid the price at the beginning of October, when it discovered unauthorized access to the personal data of some of its clients (see our article). Obviously, the security of its infrastructure has not been reinforced since, between October 26 and 28, the operator sent emails to its customers to announce “unauthorized access to part of their personal data associated with your account”. An announcement that comes a few days after a mysterious hacker put Free customer data up for sale on the Dark Web. And suffice to say that the theft is significant and affects particularly sensitive data…

Free Piracy: “a real desire to make a mess”

The first email sent by Free to its mobile subscribers is already very worrying. It indicates that the hacker stole a file containing the surnames, first names, email and postal addresses, dates and places of birth, telephone numbers, subscriber identifiers and contractual data (type of offer subscribed, date of subscription, active subscription or not). In other words, a very complete personal information sheet, allowing numerous scams to be carried out, through misappropriation or identity theft.

The operator, however, wanted to ensure that the passwords have not been compromised and that “all necessary measures were taken immediately to put an end to this attack and strengthen the protection of our information systems”. A complaint was filed with the public prosecutor and a report to the CNIL was made, as is customary.

But Free’s second message, this time sent to Internet subscribers, sends shivers down your spine. Because in addition to the data previously reported, it specifies that the hacker had access to the IBAN (International Bank Account Number), and therefore to the customers’ banking details! And that’s another story with even more serious consequences.

In fact, the damage is much greater than initially feared, since two new databases have since been put up for sale. One of them includes 19,192,948 customer accounts, with the names, first names, telephone numbers, full postal addresses, dates of birth and email addresses of Free Mobile subscribers and Freebox customers. The other file lists more than five million IBAN details relating to the operator’s customers.

Worse still, the hacker, who calls himself drusselex, distributed a free sample of 100,000 IBANs, which are accessible to everyone. He claims to have “a hell of a desire to make a mess”in reference to the latest book by Xavier Niel, the founder of Free, and indicates that a “copy of data is about to be sold for more than $70,000”. He also invites the operator to negotiate: “If the company does not participate in this unique auction in the coming days, this copy of the data will be sold, resulting in serious consequences for customers and will likely be publicly disclosed on forums in the near future”.

Free Hacking: what are the risks if your IBAN has been stolen?

There is a strong fear of phishing campaigns in the coming weeks. Indeed, when they get their hands on databases, scammers use personal information to adapt their traps and make their messages more credible, including impersonating your operator – in this case, Free.

The fact that IBANs have been stolen can have serious consequences. Indeed, it is this code which allows you to make transfers to a bank account – it is used by employers to pay their employees their salaries – but also to set up direct debits! And it is through these SEPA direct debits that subscriptions to various services are paid (electricity, gas, water, mobile and Internet plans, streaming platforms, etc.) but also insurance contributions and taxes. And as there is no systematic identity check to put in place, a hacker possessing the IBAN and all the associated personal information can very easily drain a bank account with a direct debit. In short, this is the door open to massive looting for all Free customers concerned.

This information can also be used to carry out SIM Swapping attacks, a trendy scam aimed at stealing your phone number by pretending to be you and ordering a new SIM card in your name. In this way, they will then be able to easily access your different accounts, since they will directly receive the two-factor identification codes. This will also allow them to make premium rate calls to numbers they have created, which can cost you a phone bill of several hundred euros.

This information could also allow cybercriminals to carry out scams against fake advisors, using the pretext of a direct debit problem to request immediate payment by bank card, by telephone or by email. Worse still, hackers will also be able to directly take money from your bank account, by stealing your identity and asking your bank for authorization to debit your account. Suffice to say that the financial losses can quickly turn out to be quite significant…

Free Piracy: what to do if you are a customer of the operator?

This is not the first time that Free has been the victim of piracy! In addition to the intrusion at the beginning of October, the same scenario had already occurred last February (see our article). In addition, in March a flaw allowed customers to view the invoices of other Freebox subscribers from their customer area. Suffice to say that this is starting to do a lot, especially given the number of customers involved!

In short, if you are a subscriber of the operator, be extra vigilant in the coming weeks and as always, do not hastily respond to emails, SMS, calls, and even registered letters whose sender you do not know or who appear suspicious to you. Take the time to verify the identity of the person you are talking to before doing anything!

Above all, monitor your banking transactions to spot any fraudulent direct debits, given that scammers have stolen IBANs. If an unusual direct debit is detected, you can dispute the fraudulent debit within thirteen months following it. Your bank is required to reimburse you for the stolen money.