Brian Jackson - Fotolia

O2 denies data breach

Cyber criminals have accessed some O2 customer accounts to steal personal details and offer them for sale, but O2 says it was not breached and password re-use is to blame

UK mobile network operator O2 has confirmed that it has not been the victim of a data breach in response to the BBC’s report that customer details were found on sale on the dark web.

According to the company, some O2 customers have been targeted by cyber criminals using a technique commonly known as “credential stuffing” to log in to accounts.

This refers to the process of obtaining username and password combinations by breaching one organisation and then testing them on other websites to see if they allow access.

This testing is typically automated, which means millions of credentials can be tested across thousands of popular websites in a relatively short time.

O2 said its investigations into unauthorised access of some of its users’ accounts led to a reported data breach from the gaming website XSplit in 2013.

“We have not suffered a data breach,” an O2 spokesperson said.

“Credential stuffing is a challenge for businesses and can result in many company’s customer data being sold on the dark net.”

O2 said it had passed all the information it has on to law enforcement and the company continues to help with the investigations.

“We act immediately if we are given evidence of personal credentials being taken from the internet and used to try and compromise a customer’s account,” the O2 spokesperson said.

“We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves.”

Read more about password security

Each time an organisation such as XSplit is breached, any account holders who have used the same log-in details on other sites open those accounts up to compromise too.

For this reason, security experts routinely warn against using the same password to log in to multiple online accounts. Creating unique passwords for every online service means that if one is compromised, none of the others is affected. 

If cyber criminals are able to find a match on other sites, they are able to log in to accounts as if they are the account holders. Consequently they are able to access all the account holder’s details.

Attackers are also able to hijack the accounts for other criminal purposes, such as committing fraud and sending spam email messages as part of a campaign to spread malware through malicious links.

Data stolen from O2 accounts accessed in this way reportedly included phone numbers, emails, passwords and dates of birth.

Simple protection measures ‘overlooked’

Kevin Cunningham, president and founder of identity and access management firm SailPoint, said password management is a critical element of security, but one many consumers and organisations are still struggling to get right.

“Many of the major security breaches that have occurred over the past couple of years have all been related to passwords,” he said.

According to Cunningham, the most obvious and simple measures – such as password managers to ensure strong and unique passwords – are still being overlooked.

“Business users are often simply unaware of the potential dangers, which will only get worse as we continue to adopt applications – both cloud and web applications – across the organisations at the rate we have been over the past couple of years, especially without any control or oversight from IT,” he said.

Two-factor authentication

In June 2016, remote device management firm LogMeIn was among several suppliers that took the precautionary step of resetting some users’ log-in credentials.

It did this after cross-checking the log-in credentials of its user base against lists containing “hundreds of millions” of passwords stolen during past data breaches at LinkedIn, Tumblr and MySpace.

The main catalyst for the checks was the news in May 2016 that 167 million LinkedIn account details stemming from a 2012 breach were for sale on the dark web.

In addition to password managers, security experts have urged the use of two-factor authentication (2FA) processes wherever they are available.

“Passwords are a relic from a bygone age, and they simply don’t provide adequate protection for the volume of information we all store and access online today,” said Brian Spector, chief executive at distributed cryptography firm MIRACL, formerly known as Certivox.

“Passwords do not scale for users, they do not protect the service itself and they are vulnerable to multiple attacks,” he said.

Because it is impossible to know with absolute certainty that a password has not been compromised, security advisors say changing passwords regularly ensures that even if a password has been compromised, the exposure to risk will be minimised.

Read more on Privacy and data protection