Data theft of Free clients in France: care needed to avoid scams

Clients of Free Mobile are advised to be on the lookout for scams after the company was hit by a major cyber attack in October targeting the personal data of its users, however Free Mobile says that no passwords or bank details were taken.

The attack was announced on X by self-proclaimed “friendly hacker” SaxX on October 22, who warned that a cyber criminal was selling two databases on the dark web: one containing the details of 20 million Free customers, and another of 5 million IBAN details.

The personal details include customers’ names, phone numbers, postal addresses, birthdays and emails, SaxX said.

Clients of Free were cautioned to change their passwords and look out for potential scams.

No passwords stolen

In a statement to French media on October 26, Free Mobile acknowledged that it had been hacked without confirming the extent.

“No passwords”, “no bank cards”, “no communications content (emails, SMS, voicemails, etc.)” were affected by this attack”, the company told Agence France-Presse. 

“No operational impact has been observed on our activities or services.

“The subscribers concerned have been or will be informed by email shortly”, announced the operator, adding that “all the necessary measures were taken immediately to put an end to this attack and reinforce the protection of our information systems.”

The company added that it had filed a criminal complaint with the Public Prosecutor and informed the French data protection agencies, la Commission Nationale de l'Informatique et des Libertés and the Agence Nationale de la Sécurité des Systèmes d'Information.

The cyber attack on Free, which targeted one of the service's software management tools, follows a similar attack on SFR in September.

Following that attack, SFR confirmed on September 19 that it had been subject to a “security incident involving a tool for managing customer orders” that resulted in the theft of customer data, including bank details.