Phone numbers, email addresses, passwords and dates of birth most likely first stolen from gaming website XSplit three years ago
O2 customer data is being sold on the dark net by cyber criminals, the BBC’s Victoria Derbyshire programme has learned.
It revealed the data was almost certainly obtained by using customer usernames and passwords first stolen from gaming website XSplit three years ago to log into their accounts with the mobile operator.
‘Credential stuffing’
When the details matched, hackers could access the data via a process called ‘credential stuffing’. This is where username/password pairs are obtained from fraudsters and then tested to see if they are the same on other websites.
O2 said all the information that has been provided to it has been passed to law enforcement and is helping them with their investigations.
Data for sale included users’ phone numbers, email addresses, passwords and dates of birth.
The BBC said it was shown this by an ethical hacker, who had found the data available for sale on a dark net market. This is a part of the internet only visible to those using specialist web browsers, and is often used for illegal activity.
Reporters from the BBC bought some customer details from the seller so that it could investigate further and contacted O2. An unknown number of affected customers have been informed.
Not a data breach
An O2 spokesperson said: “We have not suffered a data breach. Credential stuffing is a challenge for businesses and can result in many company’s customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.
“We act immediately if we are given evidence of personal credentials being taken from the Internet and used to try and compromise a customer’s account. We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves.”
