This week’s Cyber Intelligence House, Leak of the Week highlights a breach involving a major French telecommunications company offering internet, mobile, and TV services. Based in France, the provider is known for low-cost plans and has millions of residential and business users across the country.
In December 2024, a dataset was shared on DarkForums by a user with the alias kokabel, containing a set of customer data exfiltrated through an exposed API endpoint that reportedly lacked proper authentication. The leak includes 1 file, totaling 43.5 GB, comprising structured JSON records that expose sensitive customer data, including identity, telecom account details, service metadata, and PII.
The dataset includes:
– Over 19 million records with around 14 million unique email addresses.
– Structured fields such as name, email, phone number, date of birth, address, subscription status, and internal account metadata.
– File format: .txt (plain text/structured JSON)
Selected Items from the Leak
The following records reflect the severity of exposed data:
– evel********lly@gmail.com – Includes full name, birth date (2008), address in MAZI****BE, and active mobile plan metadata.
– fou******rent@yahoo.fr – Leaked with linked Freebox ID, birth location (SAIN* *****NNE), and complete postal data.
– yoa******@gmail.com – Exposes birthdate, city, offer price, and active line status for a minor.
– seb****s@***e.fr – Tied to a terminated plan and detailed account history since 2012.
– geoff*****16@hotmail.com – Shows subscription metadata under a €2 plan, activated in 2012, with Freebox linkage.
Original Poster’s Background: kokabel
The threat actor operating under the handle kokabel is a relatively new user on DarkForums (joined June 2025), but has posted multiple breach disclosures within a short time. This actor appears focused on leaking large datasets of French entities and possibly testing market demand before establishing a recurring leak-to-sale pattern. The leak was promoted with visuals and a breakdown of the data to increase visibility and credibility.
Implications
For Individuals:
– Identity Theft Risk: Leaked names, birthdates, and addresses can be exploited for fraudulent account creation or impersonation.
– Targeted Phishing: Emails linked to personal and service data enable precision phishing or social engineering.
– Telecom Exploits: Access to mobile subscription metadata can support SIM swap attacks and service manipulation.
For the company:
– Regulatory Exposure: Severe GDPR liabilities due to underage data exposure and unprotected user data.
– Brand Damage: Public trust erosion as data of users circulates in dark markets.
– Fraudulent Activity Surge: Increased customer support burden from identity misuse and subscription fraud.
CIH’s Recommendations
– Immediate Disclosure and Customer Notification.
– Audit and Patch API Security.
– Implement Token-Based Access.
– Enhance Data Retention Policies.
– Monitor for Abuse of Leaked Emails.
