O2 customer data is on sale on the dark web. Reports indicate the origin of the data, acquired in November 2013, was a gaming site. The stolen credentials were then used to obtain more O2 customer data. The client’s information in the dark web includes names, email addresses, phone numbers dates of birth and passwords.
“We are not victims of any data breach. We have given all the details we have acquired about the seller in the dark web to law enforcement agents. We are helping the investigation by cooperating with the law enforcement,” a statement by O2 read.
The stolen username and passwords originated from a gaming site, XSplit. The hackers matched the data they acquired from the gaming site to O2 accounts. Login details that successfully matched enabled the hackers to steal customer data from O2. Such an attack is called “credential stuffing”, and is a method popular among hackers with different level of expertise.
According to O2, credential stuffing can affect any business. The company continued to explain that it acts fast whenever it receives proof of data breaches that allegedly exposed their customers’ accounts. “Fraud and security are major concerns for all businesses. We always inform our clients and advise them to protect themselves whenever we have reason enough to believe there is a data breach.”
Hasnain Shaw, an O2 customer whose data is on sale on the dark web, told BBC that the stolen data was used by some unauthorized persons to access other accounts. “I was away from home on some personal business when I received a notification from eBay claiming there was some suspicious activity on my account,” Hasnain said. Someone had posted cars for sale on his account, something he knew nothing about.
Credential stuffing is the process of using login credentials from another site to attempt a login to another site. Hackers use software tools to match login credentials of one site against other accounts.
Graham Cluley, a security analyst, claimed that one of the first thing attackers do after getting login credentials is confirming whether the data can unlock other sites. Such criminals end up getting more personal information. The information and data from multiple sites are used to steal identities and other fraudulent activity.
Verizon recently published a report titled “2016 Data Breach Investigation”. According to the report, many incidents of data breaches are a result of reused login data. Credential stuffing is responsible for highly targeted hacks and opportunistic malware spreading as well. Criminals and state-affiliated agencies use these attacks.
O2 has since informed all the customers whose data is in the dark web. Most of the customers said that they used the login information on the dark web in other online accounts. It’s hard to remember different passwords for all the different online account we have. Yes, it is not a good, idea but it still happens.
The O2 data breach should be a wake-up call for all companies to stop using one single authentication method during sign into users’ accounts. Multifactor authentication or continuous authentication should be the way to go.