Details were reportedly stolen using credentials leaked from a gaming site three years ago
O2 has confirmed customer data ws was being sold online, but denied its systems had been hit by a data breach.
A BBC investigation found hackers had obtained the information but O2 suggested this was from customers who had reused passwords on other websites.
“We have not suffered a data breach,” O2 said in a statement. “We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”
The attackers are likely to have used credentials obtained from a gaming site called XSplit in 2013 to gain access to accounts on O2 or other online services, according to the BBC.
The technique, carried out on a large scale by automated tools, is known technically as “credential stuffing” and has recently been used to hack accounts belonging to prominent individuals including Facebook chief executive Mark Zuckerberg.
O2 said credential stuffing is a “challenge” facing many companies.
Data for sale
The BBC discovered the hacked data when a third party reported O2 data was listed for sale on a black market website.
The network purchased a small amount of the data, which included users’ phone numbers, emails, passwords and dates of birth, and verified it with O2.
The BBC wasn’t able to determine how many users were affected, but said it was likely accounts on other services besides O2 were hijacked.
The XSplit breach, which occurred in November 2013, affected about 2.8 million users, and included passwords protected by a process called hashing, which is considered relatively easy to decode.
Late last year security researchers reported seeing the data for sale on black-market websites, and the BBC’s researchers concluded that at least some of the passwords now appear to have been decoded and used in credential-stuffing attacks.
One of the O2 users affected told the BBC his accounts on eBay and Gumtree, which reused passwords from XSplit, had been hijacked and used to advertise cars for sale.
The incident illustrates how breaches can continue to affect companies and users years after they occur.
“If a hacker is able to determine your password for one site chances are that they will attempt to use the same credentials to unlock your accounts on other sites as well,” said security analyst Graham Cluley in an advisory.
He said that the forums of another gaming service, called Clash of Kings, were recently hacked with password data affected, and noted that the attack appeared to have been enabled by out-of-date software.
A known vulnerability in the same software, vBulletin, was used at around the same time to breach Ubuntu Linux’s forums and make off with two million users’ data.
“If you don’t keep the software running on your website up-to-date with the latest security patches, and put measures in place to reduce the risks of systems being breach and data being leaked, then you are putting your customers at risk,” Cluley wrote.