Categories: Security

O2 Confirms Customer Data For Sale Online

O2 has confirmed customer data ws was being sold online, but denied its systems had been hit by a data breach.

A BBC investigation found hackers had obtained the information but O2 suggested this was from customers who had reused passwords on other websites.

“We have not suffered a data breach,” O2 said in a statement. “We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”

Criminal investigation

The attackers are likely to have used credentials obtained from a gaming site called XSplit in 2013 to gain access to accounts on O2 or other online services, according to the BBC.

The technique, carried out on a large scale by automated tools, is known technically as “credential stuffing” and has recently been used to hack accounts belonging to prominent individuals including Facebook chief executive Mark Zuckerberg.

O2 said credential stuffing is a “challenge” facing many companies.

Data for sale

The BBC discovered the hacked data when a third party reported O2 data was listed for sale on a black market website.

The network purchased a small amount of the data, which included users’ phone numbers, emails, passwords and dates of birth, and verified it with O2.

The BBC wasn’t able to determine how many users were affected, but said it was likely accounts on other services besides O2 were hijacked.

The XSplit breach, which occurred in November 2013, affected about 2.8 million users, and included passwords protected by a process called hashing, which is considered relatively easy to decode.

Late last year security researchers reported seeing the data for sale on black-market websites, and the BBC’s researchers concluded that at least some of the passwords now appear to have been decoded and used in credential-stuffing attacks.

One of the O2 users affected told the BBC his accounts on eBay and Gumtree, which reused passwords from XSplit, had been hijacked and used to advertise cars for sale.

Ongoing risk

The incident illustrates how breaches can continue to affect companies and users years after they occur.

“If a hacker is able to determine your password for one site chances are that they will attempt to use the same credentials to unlock your accounts on other sites as well,” said security analyst Graham Cluley in an advisory.

He said that the forums of another gaming service, called Clash of Kings, were recently hacked with password data affected, and noted that the attack appeared to have been enabled by out-of-date software.

A known vulnerability in the same software, vBulletin, was used at around the same time to breach Ubuntu Linux’s forums and make off with two million users’ data.

“If you don’t keep the software running on your website up-to-date with the latest security patches, and put measures in place to reduce the risks of systems being breach and data being leaked, then you are putting your customers at risk,” Cluley wrote.

Quiz: What do you know about cybersecurity in 2016?

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

13 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

16 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

18 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

2 days ago