Free 2024 Data Breach

Free French ISP & Mobile Carrier Breach (2024): 13.9 Million Customer Records Including IBAN Bank Account Numbers Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

drussellx (seller) + YuroSh (hacker, hacktivist-motivated)TelecomBank Account NumberDate of BirthFull NameGenderPhone NumberPhysical Address
High SeverityWebsite / service breach

Free French ISP & Mobile Carrier Breach (2024): 13.9 Million Customer Records Including IBAN Bank Account Numbers Exposed

French telecom and ISP serving Freebox and Free Mobile

Verified by ObscureIQ Intelligence
69/100Breach Risk Index
30Data Value
40Market Recency
335dSince Breach

Breach Intelligence Summary

Entity: Free · Actor: drussellx (seller) + YuroSh (hacker, hacktivist-motivated) · Sources: 3 references
Attack: Unknown
Profile: Telecommunications Provider · Mobile, broadband, and digital communications services · National telecom operator and ISP · France
Timeline: Breach (2024-10-17) · Indexed (May 27, 2025) · Year (2024)
Exposure: 13.9M records · 6 fields: Bank Account Number, Date of Birth, Full Name, Gender, Phone Number, Physical Address
Status: Confirmed

Executive Summary

Free S.A.S., the second-largest French internet service provider and mobile network operator, suffered a data breach on October 17, 2024 when threat actors gained unauthorized access to an internal management tool and exfiltrated subscriber data covering both Free Mobile mobile carrier customers and Freebox residential broadband subscribers. Free publicly confirmed the breach on October 26, 2024 after a threat actor using the alias 'drussellx' listed two databases for sale on BreachForums, with the seller offering the dataset for auction at approximately $175,000 and subsequently making extortion-style threats including the threatened public release of '100,000 lines of French IBANs from Free customers' if Free did not intervene in the auction. A separate threat actor using the alias 'YuroSh' subsequently claimed to have been the actual hacker (with drussellx serving as the seller), with YuroSh describing his motivation as hacktivist rather than financially motivated. Free filed a criminal complaint and notified CNIL and ANSSI. The breach affected approximately 13.9 million unique customer records based on records indexed by Have I Been Pwned (with the original threat actor's auction listing claiming 19.2 million customer accounts and 5.11 million IBAN records, and the subsequent CNIL investigation referencing 24 million subscribers as the regulatory population). The total exfiltrated dataset was approximately 43.6 gigabytes in JSON format. Compromised fields included full names, phone numbers, postal addresses, dates of birth, gender, email addresses, Free Mobile user IDs and login identifiers, service offer details, account statuses, and mobile numbers. For Freebox residential broadband subscribers specifically, the dataset additionally included IBAN bank account numbers, Freebox identifiers, service activation dates, and BIC banking identifiers. Free publicly emphasized that no passwords, bank card details, email contents, SMS contents, or voicemail contents were exposed in the breach, and that the IBAN exposure alone was 'not enough to make a direct debit from a bank.' For affected customers, the practical risk profile is significant due to the combination of complete identity-profile exposure with French banking-identifier data for the Freebox subset. The IBAN exposure does not by itself enable direct debit fraud (because direct debit authorization in France requires additional steps beyond the IBAN), but the combination of full name, address, date of birth, and IBAN supports phishing attacks that can plausibly impersonate Free's billing function and request authorization for fraudulent direct debits. Affected Freebox subscribers should review their bank statements monthly for any unauthorized direct debit attempts, and should treat any communication purporting to be from Free or from their bank requesting direct-debit authorization with elevated caution. Affected mobile subscribers face elevated SIM-swap risk because the dataset includes mobile numbers tied to subscriber identity. Affected customers should change passwords on Free Mobile and Freebox accounts, enable two-factor authentication where available, monitor financial accounts for suspicious activity, and remain alert to phishing emails and SMS messages referencing real Free subscription details. Affected French citizens may file complaints with CNIL, which has retained an active enforcement posture on this case.

ObscureIQ assessment: Risk is high because telecom and ISP breaches can expose a rich customer profile that supports identity fraud, phishing, SIM-related scams, and targeted impersonation. Communications providers often hold durable identifiers and service-level data that can materially increase downstream abuse potential.

Breach Impact

The institutional impact on Free has been substantial and continues to evolve through ongoing regulatory and judicial proceedings. The €42 million combined CNIL fine is among the largest GDPR enforcement actions against a French telecommunications operator and represents a notable precedent for enforcement of authentication and monitoring requirements under the GDPR. Iliad's planned appeal to France's Supreme Administrative Court (Conseil d'État) will provide an important test of the proportionality framework applied to GDPR sanctions for cyberattack-driven breaches. Free filed a criminal complaint with French authorities and notified both CNIL and ANSSI (the French national cybersecurity agency) immediately upon detection. The case sits within a notable cluster of major French telecommunications breaches during 2024 including SFR (September 2024) and connects to the broader Bouygues Telecom, La Poste Mobile, and Carrefour Mobile breach pattern across the French telecom sector. The reputational impact has been significant within the French consumer telecommunications market, although Free has retained its substantial subscriber base.

About Free

Free S.A.S. is a major French telecommunications company operating as a subsidiary of Groupe Iliad (Iliad S.A.). Free operates as France's second-largest internet service provider and mobile network operator, serving approximately 22.9 million mobile and fixed broadband subscribers across France through the Free Mobile mobile carrier brand and the Freebox residential broadband brand. Free was founded in 1999 and built its market position through aggressive low-cost pricing that disrupted the French telecommunications market. As a national telecommunications operator, Free maintains substantial subscriber data including identity, contact information, demographic data, service-account details, billing information, IBAN bank account numbers used for direct-debit billing of Freebox subscribers, and BIC banking identifiers.

Why They Hold Your Data

French telecom and ISP serving broadband and mobile customers through account-based communications services. The likely data context includes subscriber records, contact details, service-account information, billing or support-linked records, and data tied to telecom service use.

Recent Developments

Free is now the subject of one of France's largest GDPR enforcement actions following the October 2024 breach. In January 2026, France's data protection authority CNIL imposed total fines of approximately €42 million ($48 million) on Iliad Group subsidiaries — €27 million ($31 million) on Free SAS and €15 million ($17 million) on Free Mobile — for GDPR violations identified during the post-breach investigation. CNIL's enforcement findings included inadequate authentication procedures for VPN connections to internal systems and lack of effective measures for detecting unusual activity on Free's information systems. CNIL's press release cited the sensitivity of the breached data, the companies' large profits, and a 'lack of knowledge of essential security principles.' A Groupe Iliad spokesperson characterized the sanctions as 'completely disproportionate' and announced that the companies will appeal to France's Supreme Administrative Court, while emphasizing that Iliad has 'reinforced our security architecture, strengthened our access controls, and put in place enhanced real-time surveillance' since October 2024.

Data Points Exposed

6 verified field types
Bank Account Number Critical
Date of Birth High
Full Name High
Gender
Phone Number
Physical Address High

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Financial fraud using exposed financial profile data
  • Identity verification bypass using name + date of birth combination
  • SIM swap attacks where phone numbers are present
  • Doxxing risk from physical address exposure
Threat vectors:
  • ACH fraud & unauthorized transfers
  • Identity verification bypass
  • Name-based social engineering
  • Profile enrichment
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification

Threat Actor: drussellx (seller) + YuroSh (hacker, hacktivist-motivated)

drussellx (seller) + YuroSh (hacker, hacktivist-motivated)
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Free breach?

Free S.A.S., the second-largest French internet service provider and mobile network operator, suffered a data breach on October 17, 2024 when threat actors gained unauthorized access to an internal management tool and exfiltrated subscriber data covering both Free Mobile mobile carrier customers…

What data was exposed?

Verified fields include Bank Account Number, Date of Birth, Full Name, Gender, Phone Number, Physical Address.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation