On October 26, FREE S.A.S., a major ISP in France, confirmed that it had been hacked after a threat actor calling himself “drussellx” listed customer data up for auction on a popular hacking forum. Drussellx claimed to have acquired the information of 19.2 million subscribers on October 17, 2024. The breach “affects all FREE Mobile and Freebox customers, and includes the IBANs of all 5.11 million Freebox subscribers,” drussellx wrote.
In acknowledging the breach, FREE indicated that the attacker had targeted a management tool that gave them access to subscriber data but not to passwords, bank card information, or content of communications. The company, which is a subsidiary of the Iliad Group, subsequently filed a criminal complaint and notified both CNIL and ANSSI of the incident.
Days later, another post appeared. This one claimed that the data had been sold at auction for $175,000. “Free thought the DB was free, ils n’ont rien comprise,” the post stated.
But the “SOLD” announcement was not the end of the story, it seems.
On November 1, another forum user calling themself “how” posted that the original poster had been arrested and that they were reselling the data to make more money at $35k per copy five times only. They provided the same sample data as in the original post and invited people to send them private messages. DataBreaches reached out to them via PM to question them because their post sounded like a scam. They never answered DataBreaches but they removed their post.
Wait. The Data WASN’T SOLD?
On November 3, the story took a surprising twist. DataBreaches was contacted by someone who identified himself as “YuroSh.” He claimed he was the hacker responsible for the free.fr leak. “I understand this database has been featured on French TV for weeks, and I’d like to clarify a few details,” he said, providing DataBreaches with what appeared to be the personal information of Xavier Niel (FREE’s CEO) as some preliminary proof of his involvement.
When asked, YuroSh stated his role had been to help exploit the vulnerability. DataBreaches asked him to have drussellx send a private message to DataBreaches through BreachForums to confirm his involvement. drussellx subsequently sent DataBreaches a private message stating that YuroSh had been responsible for the hack.
So what was the detail in media reports that YuroSh wanted to clarify? Well, according YuroSh, the data had never actually been sold at auction or sold at all — and it wasn’t going to be sold.
Apparently, YuroSh and drussellx had different priorities as to what they would do with the data, but neither one really wanted to sell people’s data or leak it. Drussellx reportedly wanted to extort FREE and had used the up for auction post and the “sold” post to try to pressure Free into paying extortion. YuroSh, however, seemed more motivated by hacktivism, telling DataBreaches:
Every citizen in France has likely been leaked at least once. The recent databases that have been hacked include Free, SFR, France Travail, Ameli, CAF (Caisse d’allocations familiales), FFF (Fédération Française de Football), Ledger, LDLC, Shadow, and Cdiscount. I’m not a saint but I hope the free.fr incident will finally wake the French people up to the reality of mass surveillance and fight back against it. Privacy in France has been eroded to a point where it’s practically non-existent. This situation goes beyond a single breach, it’s a systemic issue, rooted in a government determined to impose a surveillance state. The majority of people don’t think twice about surveillance practices, even as GAFAM and government collude to control every aspect of our digital lives.
France became the first country in Europe to legalize biometric surveillance, supposedly for “public safety” during major events like the Olympics. Under this new law, police use algorithmic video surveillance to analyze biometric data: body shapes, gestures, movements. They pushed this through during a time of national distraction, brushing aside debates about civil liberties. It was a calculated move that revealed how little they respect individual privacy. This move obviously opens the door to further expansion. It’s not about public safety; it’s about the gradual normalization of mass surveillance.
French law enforcement has gone so far as to target ProtonMail, Tor, and other privacy tools, framing them as criminal. They’ve made using these protections suspect, while overlooking real breaches. They claim it’s about fighting cyber threats, but in reality, it’s an attack on individual freedoms.
Their goal is total control, and they’re not hiding it. From surveillance drones monitoring protests to AI scoring systems that reduce welfare rights based on mysterious algorithms, every new tool brings France closer to a surveillance state. Privacy is on life support, and if people don’t resist now, soon it may be gone entirely.
YuroSh added, “I’m different, I hate surveillance and I think the only way to wake them up is to hack them. Otherwise things don’t change. ”
FREE’s Past Security Issues
YuroSh also claimed that in the past, they had sent FREE vulnerability alerts that were ignored. When DataBreaches started looking into FREE, we found that FREE had been fined by CNIL in the past. On November 30, 2022, CNIL imposed a penalty of 300,000 euros on FREE, for not respecting the rights of individuals and the security of its users’ data.
According to CNIL’s announcement of the enforcement action, a CNIL investigation in response to some consumer complaints had revealed several security infringements of the GDPR, in particular passwords in clear text, and return into circulation of approximately 4,100 poorly reconditioned Freeboxes.
DataBreaches asked YuroSh whether the vulnerabilities they had reported to FREE were reported before or after November 2022. He replied that it was after that time, and easy “because they didn’t monitor well, we were able to send millions of requests for weeks.”
What Now?
Iliad Group did not respond to email inquiries DataBreaches sent about the CEO’s personal data and about YuroSh’s claims that the data had not been sold or leaked. But if his claims are true, then can more than 19 million French consumers breathe any sigh of relief?
Maybe not. When asked what he and his associate intend to do with the data if it will not be sold, YuroSh answered that they will either keep it or destroy it.
“Either way, 19M people may still have some anxiety,” DataBreaches commented.
“Indeed,” YuroSh answered.
DataBreaches does not see how this incident would have any impact on surveillance, but perhaps regulators will take another look at FREE’s data security and privacy protections to see whether they comply with the GDPR.
Update 1: DataBreaches was contacted on November 7 by someone who claims that YuroSh was lying and that the data had been sold to one buyer, although not for $175k. This person has provided DataBreaches with samples of data, but the data needs to be investigated. This story may not be over yet.
Yuro, real activism builds awareness without hurting innocents. Holding data hostage undercuts your message of ‘privacy rights’.
Yuro isn’t the one who posted sample data, that was Drussellx on breach forum. I suspect that Drussellx really wanted money tbh. “sell” in his alias 🙂