O2 customer data has been found available for sale on the dark web, most likely as a result of a hack that occurred several years ago.
The gaming website XSplit was hacked three years ago and those responsible for the hack were able to obtain usernames and passwords from the site. Through the process of 'credential stuffing' in which account credentials acquired through a hack are tested on multiple websites, the hackers were able to gain access and log into O2 accounts.
O2 has contacted the police to report the case and is working to aid the authorities in their hunt for the hackers. Generally when account credentials from one site are successfully used to access another, it is highly likely that the users were negligible with their security online and employed the same user name and password across multiple sites.
The user data found for sale on the dark web included the phone numbers, emails, passwords and dates of birth of the O2 customers. It was pointed out that the account credentials were available for sale by an ethical hacker who found the listing on a dark net market.
Graham Cluley, a computer security expert pointed out that when hackers successfully acquire user information that 'credential stuffing' is often their next move, saying: “One of the first things the criminals will try to do is see if any stole passwords might unlock other sites online – potentially spilling more secrets about us, and opening us up to fraud and identity theft.”
The O2 customers whose account information was found available for sale online have been informed of the potential danger and the company did make a statement, in which it said: “We have not suffered a data breach. Credential stuffing is a challenge for businesses and can result in many company's customer data being sold on the dark net.”
“We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”