O2 denies hacking breach as customer data emerges on the dark web

Hackers have listed purported O2 customer data for sale on the dark web. The data was reportedly first stolen from a gaming site in November 2013, which was later used by the hackers to access O2 customer data. The personal data on sale on the dark web includes names, phone numbers, date of birth, emails and passwords.

An O2 statement said: "We have not suffered a data breach. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations."

The stolen username and passwords came from a gaming website called XSplit, which the hackers then used to match to O2 accounts. On successfully matching login details, the cybercriminals could then access O2 customer data. This process is called "credential stuffing" and is commonly used by cybercriminals of varying skills to conduct different kinds of cyberattacks.

O2 said: "Credential stuffing is a challenge for businesses. We act immediately if we are given evidence of personal credentials being taken from the internet and used to try and compromise a customer's account. We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves."

O2 customer Hasnain Shaw, whose account details were found among the ones listed for sale on the dark web, said his stolen data has already been used by hackers to access more accounts. "I was away from home when eBay contacted me to say there was some suspicious activity on my account. I checked and it looked like there were cars for sale on my account," said Shaw, the BBC reported.

What is credential stuffing?

Credential stuffing involves hackers using previously stolen login data from elsewhere and running it through a software tool to repeatedly attempt to breach and access user data from a new target.

Verizon's 2016 Data Breach Investigations Report says: "The capture and/or reuse of credentials is used in numerous incident classification patterns. It is used in highly targeted attacks as well as in opportunistic malware infections. It is in the standard toolkit of organised criminal groups and state-affiliated attackers alike."

Security expert Graham Cluley said when customer data is stolen, "one of the first things the criminals will try to do is see if any stolen passwords might unlock other sites online - potentially spilling more secrets about us, and opening us up to fraud and identity theft".

O2 customers, whose data was found on the dark web and verified by the BBC, have been informed by the company. Most customers admitted to reusing passwords when logging onto other accounts. It is still uncertain as to how many users have been affected by the breach.

James Romer, Chief Security Architect Europe at SecureAuth, said: "The O2 data leak must be a stark wake-up call for businesses who continue to rely on traditional username and password authentication alone. We all know that using the same password/username credentials across multiple sites is bad idea, yet it still happens far too often.

"Users have difficulty remembering different passwords for the multitude of needs of our online lives, so they default to using the same password over and over and it's generally something simple. How many times has 1234 topped the most common password list?

"Organisations must move away from the current reliance on a single point of authentication to multifactor, or even better, continuous authentication. Not only does this render stolen credentials completely worthless across the breached site, it also means they cannot be used to compromise users more broadly."