Hacker Broke Into French ISP ‘Free’ and Is Now Selling Database Access

  • A hacker claims to have accessed the French ISP ‘Free’ database and is now selling it for $2,000.
  • There has been no data exfiltration yet, even though the hacker claims to be able to see subscriber details.
  • If the data breach is confirmed to involve customer data, it’ll be a GDPR violation and a massive exposure.

A hacker has gained access to the database of ‘Free,’ a Paris-based telecommunications provider – which is actually a subsidiary of Iliad. Having failed to receive a response from the company when he alerted them about the SQL injection, the hacker proceeded to list the database access for sale on a popular forum, setting the price to $2,000 for anyone interested.

If the seller’s claims are true, the buyer could gain access to a trove of valuable and sensitive data, potentially causing great troubles for the French firm and its customers.

Image: technadu.com

We have reached out to the hacker to ask for more details and also additional proof of the validity of the claims, and we got a confirmation of the access in the form of screenshots. Also, it is noteworthy that other “prominent” members of the forum claim to have access to that data, too, implying that the database has been vulnerable for a long time now.

Image: technadu.com

To the “million-dollar” question of whether the access exposes customer/subscriber details, the hacker responded affirmatively – so if this hack is confirmed by the company, it will automatically qualify as a GDPR violation. This would incur an investigation from the data protection authority in the country, and depending on the results, a hefty fine could also be imposed. The hacker told TechNadu that if ‘Free’ continues to ignore his messages, he will soon release client data too.

Image: technadu.com

We are working towards verifying this alleged security incident with ‘Free’ through our contacts in France, and we will hopefully have a response from the company soon. If the database access is confirmed to be true, it could mean that information like customer names, email addresses, mobile numbers, member credentials, user ID, IP address, etc., will have been exposed. As of now, it is important to clarify that such an exposure has not been officially confirmed.

Notably, the actor had to resort to selling access to the database to get the company’s attention – and to cash in his hacking efforts, of course. The alternative route would be an immediate response from the firm and possibly also the payout of a bug bounty for pointing out the vulnerability and helping the company fix it.

Update 15 June

Below is the response we got from ‘Free’:

This is a database that we use to create the Fiber map. As such, it is a stand-alone database that is totally separate from the customer database. It does not contain any personal data – just fiber addresses etc., which are public data anyway. Our technicians are aware of the problem and have already identified its source, but there have not been any adverse consequences. In conclusion, the data in this base does not have any value – €2K for that seems very expensive to us 😉

This confirms the breach but devalues it at the same time. The hacker indeed accessed the company’s systems but ‘Free’ claims that there’s nothing valuable in the datasets that were accessed. We chatted with the hacker again and he told us that the access to the company’s systems is still open, and soon, client data will be published online.

REVIEW OVERVIEW

Latest

Intel Revises Manufacturing Process Development Roadmap and it Looks Promising

Intel declares ready to leave the ear of massive delays behind and finally get back on track.The American chipmaker promises to release...

Kazakhstan Blocks LinkedIn Over Illegal Casino Advertisements and Fake Accounts

Kazakhstan says LinkedIn violated its online advertisement rules and posted casino ads on the platform.For this reason and also for the existence...

Monero Bug May Have Exposed the Privacy of Transactions for a Small Number of Users

Monero transactions could be de-obfuscated thanks to a nasty bug in the decoy algorithm.The flaw affects transactions made quickly after a user...