There are reports of a significant data breach affecting Societe Francaise Du Radiotelephone (SFR), which is the second oldest mobile network operator and the second largest telecommunications company in France.
The breach, which was initially reported by The Cyber Express, has affected 1,445,683 records that contain sensitive Personal Identifiable Information (PII) of SFR customers.
According to reports, the data that was compromised has been released on BreachForums, a marketplace on the dark web.
The individual responsible for this goes by the username KevAdams. The actor is selling the entire database for $300, and they accept payment in Monero (XMR) or Litecoin (LTC).
KevAdams assured that the sale thread would be deleted once the payment was received.
What we know about the breach
It is still unclear whether the data breach is legitimate as SFR has not yet responded to the allegations.
Only individuals who have paid the $300 fee have access to the complete database. While KevAdams did provide a 12 line sample of data, it prove to be insufficient.
Therefore while our team was digging for more information regarding the said leak, we have stumble upon the complete database from another threat actor.
The data is presented in a Comma-Separated Values (CSV) format, with a size of 16.4 MB and a total of 1,445,684 records.
The CSV software we use has a limit of processing up to 1 million lines due to the high number of entries.
However, the data clearly shows the extent of the breach, including customer information such as first names, last names, phone numbers, home addresses, latitudes, longitudes, subscription statuses, and red list indicators.
Each line of consumer data carries inherent risks, making it vulnerable to targeted phishing and attacks.
Whether the data belongs to SFR is still unverified, but from what we see, the samples contain coordinates that correspond to locations in France.
In addition, there are other individuals on the forum who assert that they have smaller sets of data from the same breach, indicating the possibility of multiple leaks occurring gradually.
One threat actor has stated “I have an other smaller sfr leak and I tried to find similarities in both file. I don't remember when or where my leak came from but maybe the phone number change of owner.”
Who is behind the leak?
Contrary to initial assumptions, the individual known as KevAdams, who initially posted the data for sale, is not actually responsible for the SFR breach.
Upon further investigation, it has been discovered that the data leak originated from individuals associated with a notorious hacker group.
Threat actor xzin0vich has given a statement about the breach. He provided a clear explanation that the data was obtained in early June by a threat actor named @exinax, with assistance from French threat actor Zalko.
Both individuals have ties to the former hacking group Epsilon. xzin0vich mentioned that the SFR leak occurred in June and was carried out by @exinax, a French threat actor known as ‘Zalko'. They are members of and have a close relationship with the former group Epsilon.
Epsilon, well-known for its history of breaching companies such as LDLC and Shadow, gained a reputation for revealing confidential data.
It seems that other threat actors are attempting to profit and gain recognition within the cybercriminal community by selling SFR's data on BreachForums, even though it was initially leaked for free in a small community.
Xzin0vich made it clear that it was not @KevAdams who breached SFR. Zalko and @exinax are the ones who originally leaked the information.