Months after a significant breach at Free, the compromised data is now listed on the “Have I Been Pwned” website. Subscribers can finally check if their personal information was exposed.
Amazon co-founder MacKenzie Scott has donated over $19 billion to charity in just five years
Diamond batteries powered by nuclear waste promise 28,000 years of clean energy
A Major Leak Stemming from an Internal Hack
Last October, Free was hit by a major cyberattack. This wasn’t just an external breach: the attackers had inside help to access a customer management tool. As a result, data from 19 million subscribers were stolen, including 5 million IBAN numbers. The incident went unresolved for the customers for a while but has resurfaced today with a new development: the stolen data has been uploaded to the “Have I Been Pwned” platform.
Have I Been Pwned Adds Free to Its Database
The website Have I Been Pwned, well-known for allowing internet users to check if their personal data has been compromised, has recently added the data from the attack on Free. Troy Hunt, the researcher behind the project, explains that the information eventually began circulating on the dark web, after initially being offered for sale on various forums. This allowed him to gather all the files for indexing.
In numbers, the leak includes 14 million email addresses, contact details, birth dates, phone numbers, and IBANs. According to Hunt, 59% of this data was already on the platform, indicating that some users had already been affected by other breaches. This represents a partial repetition, but with truly unprecedented scale.
Legality Questioned in Europe
As pointed out by our colleagues at 01net, adding these data to Have I Been Pwned raises legal issues. In France and across the European Union, accessing data from a breach, even for verification purposes, is prohibited. The GDPR views this as illegal processing of personal data, due to the lack of explicit consent. The CNIL considers even the indirect dissemination of this information to be a violation. Researcher Clément Domingo notes that while such services are helpful, they are technically illegal in European territories.
How to Check If You Are Affected
To find out if your email address is part of the breach, you can enter it (albeit illegally) into Have I Been Pwned. The site will indicate whether it has been compromised and in what context. It will also specify associated data (address, name, IBAN). If a breach is confirmed, it is advised to change your passwords immediately and monitor your bank statements. You can also sign up for the site’s automatic alert to be notified in the event of future leaks.