We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Report: Freedom Mobile Data Breach Exposes Canadian Customers' Full Credit Details

vpnMentor Research Team Cybersecurity and Research Lab

vpnMentor's research team recently discovered that Freedom Mobile experienced a huge data breach.

Led by hacktivists Noam Rotem and Ran Locar, vpnMentor's researchers discovered a breach which exposes up to 1.5 million active Freedom Mobile users' personal data. Freedom Mobile (formerly Wind Mobile) is Canada's fourth-largest wireless communications provider.

Our team discovered 5 million unencrypted records, but for ethical reasons, did not download the database so cannot provide exact numbers. The company has since claimed that "only" 15,000 records were exposed.

The database was totally unprotected and unencrypted. The data includes credit card and CVV numbers.

Timeline of Breach Discovery and Reaction

  • April 17: We discover leak in Freedom Mobile's database.
  • April 18: We email Freedom Mobile to inform company of serious data breach. Receives no response.
  • April 23: We try to contact Freedom Mobile again.
  • April 24: Freedom Mobile finally responds to messages.
  • April 24: Freedom Mobile closes data breach.

Examples of Entries in the Database

Similar to Gearbest's unprotected Elasticsearch database, Freedom Mobile's database was completely unencrypted. We had full access to more than 5 million records, reflecting up to 1.5 million users.

These records seem to reflect any action taken within a user account, allowing for multiple entries per customer.

The personal data exposed includes:

  • email address
  • home and mobile phone number
  • home addresses
  • date of birth
  • customer type
  • IP address connected to payment method
  • unencrypted credit card and CVV numbers
  • credit score responses from Equifax and other corporations, with reasons for acceptance/rejection

We could also access account numbers, subscription dates, billing cycle dates, and customer service records including locations.

Some entries also included data from an Equifax database. This included information on credit scores, credit class, and credit card accounts.

Data Breach Impact

Ironically, Freedom Mobile prides itself on offering high levels of privacy. It's even in their Twitter bio:

However, they clearly shared - and overshared - their customers' data.

After discovering the data breach, we quickly alerted Freedom Mobile to the issue. When they didn't immediately respond, we asked contacts at another security site help us reach them in case our emails went to spam. As they eventually replied, we know that this isn't the case.

For ethical reasons, we didn't download the database, so we don't know exactly how many people were affected.

However, we could access at least 5 million unprotected records. Freedom Mobile has at least 1.5 million subscribers, and its parent company is owned by Shaw Communications which has more than 3.2 million customers across Canada. This may the largest breach experienced by a Canadian company.

It's rare to find a leak which details both credit card information and CVV numbers together, especially in such a large breach.

As this data leak includes unencrypted credit card information, Freedom Mobile is potentially in breach of PCI (Payment Card Industry) compliance rules. This could result in serious real-world impacts for the company as well as its users.

Dangers of Hacks

A database full of credit card data, birth dates, full names, addresses, and phone numbers also allows for credit card fraud and identity theft. This could cost users - and their banks and insurance companies - hundreds of thousands of dollars.

An unencrypted database containing personalized information represents a valuable resource for hackers. With access to addresses, email addresses, phone numbers, and credit data, malicious actors can exploit this information to orchestrate sophisticated phishing schemes.

Credit information also allows for highly targeted ransomware attacks, as bad actors know where they can demand high prices.

Even the most careful user can't defend itself against a company that saves their data on an unsecured database. The best way we found is to use a temporary card, account, or CVV number connected to your account. See our complete guide for more information.

About Us and Previous Reports:

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

We recently discovered a huge data breach impacting 80 million US households. We also revealed that Gearbest experienced a massive data breach. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

Please share this report on Facebook or tweet it.

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

vpnMentor Research Lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address

Thanks for submitting a comment, %%name%%!

We check all comments within 48 hours to ensure they're real and not offensive. Feel free to share this article in the meantime.