O2 customers' details sold on darkweb

Customers of the popular mobile network O2 are having their details sold on a dark web marketplace

O2 was not breached, but its’ customer's information was acquired using a technique called credential stuffing (Darkdoc via wikimedia commons)
O2 was not breached, but its’ customer's information was acquired using a technique called credential stuffing (Darkdoc via wikimedia commons)

The details of O2 customers have been found being sold on the dark web.  The revelation was unearthed by Victoria Derbyshire's BBC programme on Monday in which Mike Godfrey, a security researcher at Inisa security showed what one could buy on the dark web.

However, it was quickly shown that O2 hadn't been breached at all but those details had got there a different way.

The dark web refers to a series of private networks, inaccessible to those without the proper software or credentials, on which one can buy goods and services anonymously..

This is the water in which so much of today's cyber-criminality breeds. On there, one can buy false documents, guns, drugs, malware, or in this case, personal details.

James Maude, senior security engineer at endpoint security software firm Avecto told SCMagazineUK.com via email that “Personal data is the new digital currency for cyber-criminals and unfortunately everyone is vulnerable. As cyber-criminals do all they can to find new ways of accessing and using these sensitive details, the public and businesses need to counteract this by being aware of the threats and adopting good security practices.”

From those personal details, and thanks to the all-too-common habit of password re-use, willful cyber-criminals can often get into multiple accounts of an individual user by a method known as ‘credential stuffing'.

This appears to be the case here. The information was not actually stolen from O2 but was apparently taken three years ago from gaming website Xsplit

Matthias Maier, security evangelist at Splunk told SC that, “Once again, we see a situation where hackers have managed to re-use data from an older breach because users have recycled the same passwords. This shows how a single data breach can go on to impact other organisations. The challenge this highlights for businesses is the how employees or customers will unintentionally allow their credentials to be stolen or access hijacked. This has the potential to trigger security breaches and data leaks.”

However, added Richard Parris CEO of Intercede, this is not entirely the customers' fault:

“The customers affected by breaches of this nature are those who recycle their passwords across multiple identities but it's time that service providers stopped blaming their customers for what is grossly inadequate security. Simple password-based authentication just doesn't work – none of us can possibly remember enough complex passwords to make the approach viable.”

The BBC bought a sample of the details and contacted all those who it saw affected.

An O2 spokesperson  released a statement to SC, saying “we have not suffered a data breach. Credential stuffing is a challenge for businesses and can result in many companies' customer data being sold on the darknet. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”

The spokesperson added, “We act immediately if we are given evidence of personal credentials being taken from the Internet and used to try and compromise a customer's account.”