O2 customer data is being flogged on the dark net, according to the very shocked BBC.
It is believed that the data became available when the usernames and passwords were stolen from gaming website XSplit three years ago. When the login details matched, the hackers could access O2 customer data in a process known as “credential stuffing”.
It is highly likely that this technique will have been used to log onto other companies’ accounts including O2 partners.
The data for sale included users’ phone numbers, emails, passwords and dates of birth.
BBC reporters bought a small sample of customer details from the seller to investigate further and contacted O2. Together, the investigating teams believed it was the result of credential stuffing.
This is where a criminal uses a piece of software to repeatedly attempt to gain access to customers’ accounts by using the login details it has obtained from elsewhere – in this case, a November 2013 attack on gaming website XSplit. When successful, a customer’s details can be retrieved and sold.
O2 said in a statement: “We have not suffered a data breach. Credential stuffing is a challenge for businesses and can result in many company’s customer data being sold on the dark net.
“We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”