O2 Customer Data Discovered for Sale on Dark Web

Security experts have once again called for an end to password-based log-in systems after it was revealed that data belonging to O2 customers has found its way onto the dark web.

It’s thought that the hackers managed to gain access to the O2 accounts because customers used the same credentials on gaming website XSplit, which was breached three years ago.

This type of brute force technique is known as “credential stuffing” – according to OWASP.

The data stolen apparently includes phone numbers, dates of birth, emails and passwords.

Some O2 users informed of the incident by the BBC claimed they had also been notified of possible issues with other online accounts they used the same credentials to access.

"I was away from home when eBay contacted me to say there was some suspicious activity on my account. I checked and it looked like there were cars for sale on my account,” explained Chester-based Hasnain Shaw.

"Four weeks ago, I got a similar email from Gumtree. It looked like the same people had got access to that account because it was the same cars being advertised."

O2 has been quick to distance itself from the incident, claiming it wasn’t the subject of a breach.

It added the following in a statement:

“Credential stuffing is a challenge for businesses and can result in many company's customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations."

Hans Zandbelt, senior technical architect at Ping Identity, argued the incident highlights that password reuse is “no longer fit for purpose.”

“High-profile brands and businesses must implement and invest in two-factor and multi-factor authentication to safeguard data and maintain customer loyalty,” he added.

“Not only does two-factor authentication allow for a more secure service in our digital era, but such technology is crucially tied to the identity of the customer. This is imperative in alleviating the requirement for customers to remember and type in complex passwords over and over again.”

James Romer, chief security architect Europe at SecureAuth, argued the incident should be a wake-up call for firms still relying on traditional passwords.

“Bad actors are taking advantage of this laissez faire attitude, trying stolen credentials not just on one site but a number, even employing botnets which automate the process. Where the same credential combinations are repeatedly being used across a number of accounts, it’s the equivalent of a skeleton key to your online life,” he added.

“Organizations must move away from the current reliance on a single point of authentication to multi-factor, or even better, continuous authentication."

What’s Hot on Infosecurity Magazine?