Free was the victim of a massive hack, which resulted in the theft and sale of the personal data of millions of subscribers, including IBANs. Enough to allow fraudulent withdrawals from bank accounts.
The piracy that Free has just recognized at the end of October 2024 could well go down in history due to its scale and its consequences! The affair is taking an increasingly worrying turn since the stolen data has indeed been sold. As reported by ethical hacker SaxX, the cybercriminal behind the attack claims to have given away the stolen directory for $175,000. Obviously, we do not know the identity of the buyer of this precious data, except that it is not Free. But given the amount of the transaction, there is no doubt that they will be used for scams.
This is very bad news, since this sale opens the door to sophisticated phishing attempts, identity theft and, above all, fraudulent withdrawals from victims’ bank accounts due to theft. of 5 million IBANs. Because if the IBAN alone does not allow an account to be emptied, it can, coupled with other sensitive information, make it possible to carry out SEPA mandates. Data such as that compromised during the cyberattack against Free…
Moreover, the hacker – who, given his humor, seems to be French – seems to want to sow panic and does not hesitate to directly threaten the victims. “I advise all current and former Free customers to prepare for what will happen very soon, especially those whose IBAN has been compromised”he wrote on the forum. This story really smells bad!
However, the operator remains relatively silent. Worse still, he seems to greatly underestimate the risks! In a message sent to the CCM editorial staff, he states that “only the IBANs of certain Freebox subscribers were affected” – however, the hacker’s announcement does mention the IBANs of Freebox and Free Mobile subscribers – and that “a simple IBAN is not enough to make a withdrawal from a bank, so it is very unlikely that a withdrawal of unknown origin from a subscriber’s account will be accepted by the bank.” However, he assures that he has “as a precautionary measure, we have informed our banking partners”.
CYBERALERT, FRANCE | COUP FROM TRAFALGAR, the Free database was sold for $175,000 according to the cybercriminal!
IT’S CRAZY WHAT’S HAPPENING!
This Tuesday, October 29, 2024 at 7:40 p.m., the cybercriminal behind the Free cyberattack and who put pic.twitter.com/hNUdqOZ8Wf
— SaxX _()_/ (@_SaxX_) October 29, 2024
Free Piracy: “a real desire to make a mess”
Between October 26 and 28, the operator sent emails to its customers to announce “unauthorized access to part of their personal data associated with your account”. An announcement that comes a few days after a mysterious hacker put Free customer data up for sale on the Dark Web. And suffice to say that the theft is significant and affects particularly sensitive data…
The first email sent by Free to its mobile subscribers was already very worrying. It indicates that the hacker stole a file containing the surnames, first names, email and postal addresses, dates and places of birth, telephone numbers, subscriber identifiers and contractual data (type of offer subscribed, date of subscription, active subscription or not). In other words, a very complete personal information sheet, allowing numerous scams to be carried out, through misappropriation or identity theft.
The operator, however, wanted to ensure that the passwords have not been compromised and that “all necessary measures were taken immediately to put an end to this attack and strengthen the protection of our information systems”. A complaint was filed with the public prosecutor and a report to the CNIL was made, as is customary.
But Free’s second message, this time sent to Internet subscribers, was chilling. Because in addition to the data previously reported, it specifies that the hacker had access to the IBAN (International Bank Account Number), and therefore to the customers’ banking details! And that’s another story with even more serious consequences.
In fact, the damage is much greater than initially feared, since two new databases were subsequently put up for sale. One of them included 19,192,948 customer accounts, with the names, first names, telephone numbers, full postal addresses, dates of birth and email addresses of Free Mobile subscribers and Freebox customers. The other file listed more than five million IBAN details relating to the operator’s customers.
Worse still, the hacker, who calls himself drusselex, then distributed for free a sample of 100,000 IBANs, which were accessible to everyone. He claimed to have “a hell of a desire to make a mess”in reference to the latest book by Xavier Niel, the founder of Free, and indicated that a “copy of data is about to be sold for more than $70,000”. He also invited the operator to negotiate: “If the company does not participate in this unique auction in the coming days, this copy of the data will be sold, resulting in serious consequences for customers and will likely be publicly disclosed on forums in the near future”.
Free Hacking: what are the risks if your IBAN has been stolen?
There is a strong fear of phishing campaigns in the coming weeks. Indeed, when they get their hands on databases, scammers use personal information to adapt their traps and make their messages more credible, including impersonating your operator – in this case, Free.
The fact that IBANs have been stolen can have serious consequences. Indeed, it is this code which allows you to make transfers to a bank account – it is used by employers to pay their employees their salaries – but also to set up direct debits! And it is through these SEPA direct debits that subscriptions to various services are paid (electricity, gas, water, mobile and Internet plans, streaming platforms, etc.) but also insurance contributions and taxes. And as there is no systematic identity check to put in place, a hacker with the IBAN and all associated personal information can easily drain a bank account with a direct debit. In short, this is the door open to massive looting for all Free customers concerned.
This information can also be used to carry out SIM Swapping attacks, a trendy scam aimed at stealing your phone number by pretending to be you and ordering a new SIM card in your name. In this way, they will then be able to easily access your different accounts, since they will directly receive the two-factor identification codes. This will also allow them to make premium rate calls to numbers they have created, which can cost you a phone bill of several hundred euros.
CYBERALERT, FRANCE | Cyberattack Free, 100,000 IBANs distributed for free on the “Amazon of cybercrime” by the same French cybercriminal
Last night at 4:30 a.m., the cybercriminal behind the Free cyberattack released a sample of 100 pic.twitter.com/qPzE0Yq5bn
— SaxX _()_/ (@_SaxX_) October 27, 2024
This information could also allow cybercriminals to carry out scams against fake advisors, using the pretext of a direct debit problem to request immediate payment by bank card, by telephone or by email. Worse still, hackers will also be able to directly take money from your bank account, by stealing your identity and asking your bank for authorization to debit your account. To do this, they need the identity, telephone number, or other banking data, such as the BIC code, which allows banks to be identified internationally. Note that this is particularly easy to find since it is publicly available on the web for all banks.
It is possible that the signatures were also stolen since they appear on the back of the identity cards. However, Damien Bancal, security researcher of the blog Zatazrecently discovered a database of 15,000 identity cards belonging to French people while investigating criminal markets. Suffice to say that the financial losses can quickly turn out to be quite significant…
Free Piracy: what to do if you are a Free subscriber?
This is not the first time that Free has been the victim of piracy! Xavier Niel’s company already suffered an incident of this type at the beginning of October, when it discovered unauthorized access to the personal data of some of its clients (see our article). Furthermore, the same scenario had already occurred last February. A flaw also allowed customers in March 2024 to view the invoices of other Freebox subscribers from their customer area. Suffice to say that this is starting to do a lot, especially given the number of customers involved!
In short, if you are a subscriber of the operator, be extra vigilant in the coming weeks and as always, do not hastily respond to emails, SMS, calls, and even registered letters whose sender you do not know or who appear suspicious to you. Take the time to verify the identity of the person you are talking to before doing anything!
Above all, monitor your banking transactions to spot any fraudulent direct debits, given that scammers have stolen IBANs. If an unusual debit is detected, you can dispute the fraudulent debit within thirteen months following it. Your bank is required to reimburse you for the stolen money (see our article).
To find out if your personal data has been leaked to the Dark Web following hacks, you can use tools like I Have Been Pwned? By entering your email address in the site’s search bar, it is possible to check if it appears in a database that has suffered a data leak.
In the event of a leak, the tool lists the sites or applications from which the email address was hacked, on what date and the information that was compromised in addition to the email address, such as the password.