Jag_cz - Fotolia

British Gas warns customers of security leak but denies breach

British Gas has warned customers that account logins may have been leaked, but says its systems have not been breached and that no payment data has been exposed

British Gas has warned around 2,200 of its 14.7 million customers that their email addresses, passwords and past energy bills have been published on the document-sharing site Pastebin.

The utility company has contacted the affected customers and assured them that its systems have not been breached and that no payment data has been exposed.

The data has been removed from Pastebin, but British Gas has disabled all the affected accounts on its website and asked customers to reset their passwords through the website.

The company said that the data posted on Pastebin had not come from British Gas. “As you’d expect, we encrypt and store this information securely. From our investigations, we are confident that the information which appeared online did not come from British Gas,” the company said in an email to customers.

The utility company notified affected account holders before checking if all the published passwords were valid, so the number of accounts at risk could be lower than 2,200, according to the BBC.

If the company is correct in saying its computer systems have not been breached, then the details may have been harvested in another breach and tested against British Gas’s website to see if they worked.

This is the reason why security experts advise holders of online accounts to ensure that usernames and passwords are unique to each account; that way, if one is compromised, the others will remain secure.

British Gas has published guidelines on its website for staying safe online. The first point states: “It’s crucial to pick strong passwords that are different from each other for all your important accounts.”

Independent security consultant Graham Cluley said there is undoubtedly a huge problem with many people using the same password for multiple sites.

“The sensible approach is to use different passwords for every online account you have. And if, like me, you think you will never be able to remember all those complex, unique passwords – well, get yourself a password manager program to do the hard work for you,” he wrote in a blog post.

Another possibility is that the users were targeted by a phishing campaign aimed at tricking them into divulging their British Gas account login details.

Such phishing attacks typically use an email asking users to reset or confirm their login details via a link to a legitimate-looking form that is then sent directly to those behind the phishing attack.

News of the British Gas customer details leak comes within hours of a technical fault emerging on the Marks & Spencer website that allows customers to see each other’s personal details, and just days after TalkTalk warned customers that an attack on its website might have put bank and other details at risk.

Read more about data breaches

Read more on Privacy and data protection