No known breach but BBC finds data for sale, expert blames password reuse
O2 customer data is being sold on the dark net after cyber criminals used details stolen from a hacked gaming website to access O2 accounts.
The BBC's Victoria Derbyshire programme discovered the details for sale on the dark net.
The process is known as 'credential stuffing'. When a poorly secured database is hacked, the cyber criminal can gain access to lots of user names and logins.
These credentials are then inputted as pairs automatically into different user accounts to check whether they work. If these pairs are found to be valid, then the credentials can be sold on on the dark net where there exists a large market for this.
The data for sale included users' phone numbers, emails, passwords and dates of birth.
O2 itself has not suffered a breach.
In response to the news that some of O2’s customer data is being sold on the dark webMatthias Maier, Security Evangelist at Splunk said: “Once again, we see a situation where hackers have managed to re-use data from an older breach because users have recycled the same passwords. This shows how a single data breach can go on to impact other organisations. The challenge this highlights for businesses is the how employees or customers will unintentionally allow their credentials to be stolen or access hijacked. This has the potential to trigger security breaches and data leaks. Recent research by IDC found that hapless users are a greater threat than malicious insiders. 27 per cent of businesses are worried about poor user security practices, compared to just 12 per cent of businesses who are worried about malicious insider threats. Businesses need to understand where the threat is coming from and what normal behaviour looks like in order to detect unusual activity, respond appropriately and secure themselves.”