Seven months after the initial breach, French ISP and major email provider’s massive data leak affecting 14 million users has been indexed by the world’s leading breach notification service
Free Mobile’s catastrophic data breach from October 2024 has finally been added to Have I Been Pwned (HIBP), the world’s most comprehensive data breach notification service, on May 27, 2025. The inclusion comes more than seven months after French telecommunications giant Free first confirmed the security incident that exposed the personal information of nearly 14 million customers.
The Original Breach
Free, France’s second-largest internet service provider with over 22.9 million mobile and fixed subscribers, first disclosed the breach in late October 2024. The company confirmed that hackers had breached its systems and stolen customer personal information, targeting a management tool that exposed subscribers’ data.
The stolen data affected 19.2 million customers and contained over 5.11 million IBAN bank account numbers, impacting all Free Mobile and Freebox customers, according to the threat actor known as “drussellx” who subsequently put the data up for sale on BreachForums.
Enhanced Risk for Email Users
Given Free’s status as a major email provider in France, this breach poses heightened security risks for millions of @free.fr email users. The exposed email addresses can be used for sophisticated phishing campaigns targeting French users, particularly dangerous since attackers now have associated personal information including names, addresses, and dates of birth that can make fraudulent communications more convincing.
The breach affects not just Free’s telecommunications customers but also standalone email users who may have created @free.fr addresses for personal or business use. This makes the incident one of the largest email security breaches in France’s history.
Major Email Provider Impact
The breach is particularly significant because Free operates one of France’s largest email services through its free.fr domain. Free’s webmail service (webmail.free.fr) ranks as the third most visited email website in France, making this breach a major concern for French internet users who rely on @free.fr email addresses for personal and business communications.
Free provides email services to millions of users as part of its telecommunications offerings, with many French internet users having used @free.fr email addresses for years. The @free.fr email domain is widely used across France, with Free being described as “a major Internet and mobile provider in France” that offers email services alongside its internet and mobile subscriptions.
The exposure of 14 million email addresses means that affected users face increased risks of targeted phishing campaigns, spam, and potential account takeover attempts across multiple services where they may have used their @free.fr email addresses for registration.
The breach exposed 14 million unique email addresses along with names, physical addresses, phone numbers, genders, dates of birth and for many records, IBAN bank account numbers. Free advised that the IBAN numbers were “not enough to make a direct debit from a bank”, though the company acknowledged the serious nature of the exposure.
The attackers failed to access customer passwords, bank card information, and communications content including emails, SMS, and voice messages, Free confirmed in its initial disclosure.
The Path to Public Exposure
The data was initially posted for sale and later leaked publicly, following a pattern common in major data breaches where stolen information eventually makes its way from private criminal markets to public forums.
Free filed a criminal complaint with the public prosecutor and notified French regulators including the National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI).
Have I Been Pwned Integration
According to HIBP’s breach listing, the Free Mobile breach was added to the service on May 27, 2025, despite the incident occurring in October 2024. The database now shows 13.9 million affected accounts from the breach.
The timing coincides with HIBP’s recent major update. Australian security researcher Troy Hunt announced the official launch of Have I Been Pwned 2.0 on May 20, 2025, following a soft launch in March. The new version completely rebuilt the website and changed functionality across the platform.
While the exact reason for the seven-month delay between the breach’s public disclosure and its inclusion in HIBP remains unclear from available sources, data breach services typically require time to obtain, verify, and process large datasets before making them searchable.
Current Recommendations
For affected users, HIBP (Have I been Pwnd) recommends immediate action including:
- Changing Free Mobile passwords if not updated since 2024
- Enabling two-factor authentication where available
- Changing passwords on other accounts that used the same credentials
- Monitoring for suspicious login attempts and phishing emails
The breach represents one of the largest telecommunications data exposures in France’s history, affecting roughly one-third of the country’s population according to the original threat actor’s claims.
Users can now check if their email addresses were included in the Free Mobile breach by visiting haveibeenpwned.com and searching for their email address. The service will display all known breaches associated with the queried address, including this latest addition to its database of over 880 compromised websites and services.
