The entertainment box research team recently discovered that Freedom Mobile was facing a massive data leak.
ENTERTAINMENT BOX researchers led by hacktivists Noam Rotem and Rahn Lokar discovered a vulnerability revealing personal data of up to 1.5 million active Freedom Mobile users. Freedom Mobile (formerly Wind Mobile) is Canada’s fourth-largest wireless provider.
His database was completely unprotected and unencrypted. Among other things, the data contained credit card numbers and CVV. Hack detection time and response
- April 17th: We detected a Freedom Mobile data leak.
- April 18th: We informed Freedom Mobile by email of a serious data leak. We did not receive a response.
- On April 23: We again tried to contact Freedom Mobile.
- April 24th: Freedom Mobile has finally answered our letters.
- April 24th: Freedom Mobile stopped the data leak.
Examples of records in the database
Like unprotected database Gearbest Elasticsearch, database by Freedom Mobile was completely unencrypted. We had full access to over 5 million records owned by 1.5 million users.
This data, apparently, reflects any actions committed in the account, taking into account the numerous entries of each user.
Personal data that has been disclosed:
- E-mail address
- home and mobile number
- home address
- Date of Birth
- customer type
- The IP address associated with the payment method
- unencrypted credit card and CVV numbers
- credit responses from Equifax and other corporations with justification for rejection/acceptance
We also had access to account numbers, subscription and billing dates, and customer service records, including locations.
Some records contained information from the Equifax database, namely information about credit history, creditworthiness and credit card accounts.
The consequences of a data leak
Oddly enough, Freedom Mobile prides itself on its high degree of privacy. This is even indicated in the own data column on their Twitter:
However, he clearly leaked his customer data.
Upon discovering this, we quickly notified Freedom Mobile about this issue. Having not received an instant response from them, we turned to colleagues on another security site with a request to help us contact Freedom Mobile in case our letters were spammed. But later it turned out that still, this was not the case.
Due to ethical considerations, we did not download information from the database, so we do not know exactly how many people were injured.
However, we were able to access at least 5 million unprotected records. At least 1.5 million subscribers have signed up for Freedom Mobile, and its parent company is owned by Shaw Communications, which has more than 3.2 million customers throughout Canada. This is arguably the largest data leak Canadian companies have ever encountered.
It’s rare to find a leak that contains both credit card information and CVV numbers, especially with this massive privacy violation.
Because this leak includes unencrypted credit card information, Freedom Mobile potentially violates PCI ( Payment Card Industry ) compliance rules. This can lead to serious consequences in reality for both the company and its users.
Owning a database containing credit card information, dates of birth, full names, addresses and phone numbers make it easy to carry out credit card fraud and identity theft. This can cost users, their banks and insurance companies hundreds of thousands of dollars.
An unencrypted database containing personal information is a valuable resource for hackers. Access to addresses, emails, phone numbers and credit information can help attackers implement complex phishing schemes.
Owning credit information, attackers can also carry out attacks in order to extort ransom since they know who owns large amounts of money.
Even the most vigilant user will not be able to protect themselves from a company that keeps its data insecure. The best option is to use a temporary card, account, or CVV numbers that are associated with your account. Read our complete guide for more information.