Skip to content
Data breachContained

Leak at Free

In late October 2024, French ISP Free (Iliad group) disclosed a breach after attackers accessed an internal management tool, exposing subscriber identity and contact data plus around 5.1 million IBANs; the stolen data was later auctioned and sold online.

Victim
Free
records
5.2M

On 25 October 2024, Free — France's second-largest telecoms operator, part of the Iliad group — confirmed a cyberattack against its information systems after a threat actor contacted the company and announced the theft of subscriber data. Investigators later established that the intruders had reached an internal subscriber-management tool (MOBO), reportedly after gaining access through the company VPN, which let them query records belonging to both Free and Free Mobile customers.

The attacker put two datasets up for sale on a cybercrime forum: a large set covering Free Mobile accounts and a separate set of roughly 5.1 million Free fixed-line records that critically included banking IBANs. The stolen data was subsequently auctioned and reportedly sold for around 175,000 dollars. Free stated that no passwords, bank-card numbers, or communication content were compromised.

Exposed data categories included:

  • Last name and first name
  • Date and place of birth
  • Email and postal address
  • IBAN (bank account number)
  • Subscriber identifier, plan type, subscription date, and active-subscription status

Free filed a criminal complaint and notified the French regulators CNIL and ANSSI, stating that mitigation measures were applied immediately. The incident was contained, but in January 2026 the CNIL fined Free and Free Mobile a combined 42 million euros for failing to adequately secure the data, notify affected users, and comply with data-retention rules.

Sources

  1. clubic.comhttps://www.clubic.com/actualite-542138-cyberattaque-de-free-les-donnees-fuitees-ont-trouve-preneur-pour-175-000-dollars-voici-ce-que-ca-implique.html
  2. securityaffairs.comhttps://securityaffairs.com/170333/data-breach/free-suffered-a-cyber-attack.html
  3. therecord.mediahttps://therecord.media/france-data-regulator-fine

Related incidents

Data breachOngoing

Data leak at SFR

On 24 November 2024, a threat actor advertised a leak of personal data on 3.6 million customers of French telecom operator SFR — names, postal and email addresses, dates of birth and phone numbers — plus 150,000 IBANs offered for separate sale on the dark web.

Victim
SFR
Records
3.6M
Data breachContained

Leak at RED by SFR

In September 2024, RED by SFR — the low-cost mobile brand of French telecom SFR — disclosed a breach affecting several tens of thousands of recent customers, exposing names, contact details, IBANs, and SIM/handset identifiers after attackers accessed an order-management tool.

Victim
RED by SFR