Involved in the theft of Free's data, a second hacker now assures that it was not ultimately sold as initially announced.
Still unclear but a possible sigh of relief for Free subscribers. While the latter were informed by the operator of a leak of their data potentially including 5 million IBANs, a hacker closely involved in this massive theft calls into question the sale of this data, although announced by the cybercriminal who last month claimed responsibility for attacking a Free management tool. He indicated that he had sold this database to a third party for 175,000 dollars, or approximately 160,000 euros.
Known under the pseudonyms “drussellx” and “YuroSh”, two pirates are in reality the key players in this affair. According to information collected by the specialized site DataBreaches, “YuroSh” maintains that the data was ultimately never sold, contrary to initial statements by “drussellx”. YuroSh explains that their goal was not direct profit, but to pressure Free to improve the security of its infrastructure. While “drussellx” reportedly considered extortion, YuroSh says it is more driven by concerns about transparency and privacy.
“On November 3, the affair took a surprising turn. DataBreaches was contacted by someone identifying themselves as “YuroSh”. He claimed to be the hacker responsible for the free.fr leak. “I understand that this database has been featured on French television for weeks, and I would like to clarify a few details,” he said, providing us with what appeared to be Xavier Niel's personal information ( CEO of FREE) as preliminary evidence of his involvement”tells the specialized site.
When questioned, YuroSh said his role had been to help exploit the vulnerability. The outlet asked him to ask drussellx to send a private message to DataBreaches via BreachForums to confirm his involvement. The latter confirmed that YuroSh was responsible for the hack, which he now assures the data was never auctioned off or sold at all – and it wasn't going to be.
The two hackers have already reported security vulnerabilities to Free in the past, without obtaining a satisfactory response. In 2022, the CNIL had already sentenced Free to a fine of 300,000 euros for deficiencies in data protection, a context which reinforces the attention surrounding this cyberattack affair.
This article was reprinted on the Univers FreeBox website
