vpnMentor‘s research team recently discovered that Freedom Mobile experienced a huge data breach.

Led by hacktivists Noam Rotem and Ran Locar, vpnMentor’s researchers discovered a breach which exposes up to 1.5 million active Freedom Mobile users’ personal data. Freedom Mobile (formerly Wind Mobile) is Canada’s fourth-largest wireless communications provider.

Our team discovered 5 million unencrypted records, but for ethical reasons, did not download the database so cannot provide exact numbers. The company has since claimed that “only” 15,000 records were exposed.

The database was totally unprotected and unencrypted. The data includes credit card and CVV numbers.

Timeline of Breach Discovery and Reaction

April 17 : We discover leak in Freedom Mobile’s database.

: We discover leak in Freedom Mobile’s database. April 18 : We email Freedom Mobile to inform company of serious data breach. Receives no response.

: We email Freedom Mobile to inform company of serious data breach. Receives no response. April 23 : We try to contact Freedom Mobile again.

: We try to contact Freedom Mobile again. April 24 : Freedom Mobile finally responds to messages.

: Freedom Mobile finally responds to messages. April 24: Freedom Mobile closes data breach.

Examples of Entries in the Database

Similar to Gearbest’s unprotected Elasticsearch database, Freedom Mobile’s database was completely unencrypted. We had full access to more than 5 million records, reflecting up to 1.5 million users.

These records seem to reflect any action taken within a user account, allowing for multiple entries per customer.

The personal data exposed includes:

email address

home and mobile phone number

home addresses

date of birth

customer type

IP address connected to payment method

unencrypted credit card and CVV numbers

credit score responses from Equifax and other corporations, with reasons for acceptance/rejection

We could also access account numbers, subscription dates, billing cycle dates, and customer service records including locations.

Some entries also included data from an Equifax database. This included information on credit scores, credit class, and credit card accounts.

Data Breach Impact

Ironically, Freedom Mobile prides itself on offering high levels of privacy. It’s even in their Twitter bio:

However, they clearly shared – and overshared – their customers’ data.

After discovering the data breach, we quickly alerted Freedom Mobile to the issue. When they didn’t immediately respond, we asked contacts at another security site help us reach them in case our emails went to spam. As they eventually replied, we know that this isn’t the case.

For ethical reasons, we didn’t download the database, so we don’t know exactly how many people were affected.

However, we could access at least 5 million unprotected records. Freedom Mobile has at least 1.5 million subscribers, and its parent company is owned by Shaw Communications which has more than 3.2 million customers across Canada. This may the largest breach experienced by a Canadian company.

It’s rare to find a leak which details both credit card information and CVV numbers together, especially in such a large breach.

As this data leak includes unencrypted credit card information, Freedom Mobile is potentially in breach of PCI (Payment Card Industry) compliance rules. This could result in serious real-world impacts for the company as well as its users.

Dangers of Hacks

A database full of credit card data, birth dates, full names, addresses, and phone numbers also allows for credit card fraud and identity theft. This could cost users – and their banks and insurance companies – hundreds of thousands of dollars.

An unencrypted database of personalized information is a valuable resource for hackers. Access to addresses, email addresses, phone numbers, and credit data can help malicious actors execute sophisticated phishing schemes.

Credit information also allows for highly targeted ransomware attacks, as bad actors know where they can demand high prices.

Even the most careful user can’t defend itself against a company that saves their data on an unsecured database. The best way we found is to use a temporary card, account, or CVV number connected to your account. See our complete guide for more information.

About Us and Previous Reports:

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

We recently discovered a huge data breach impacting 80 million US households. We also revealed that Gearbest experienced a massive data breach. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

Please share this report on Facebook or tweet it.