Brian Jackson - Fotolia
According to the company, some O2 customers have been targeted by cyber criminals using a technique commonly known as “credential stuffing” to log in to accounts.
This refers to the process of obtaining username and password combinations by breaching one organisation and then testing them on other websites to see if they allow access.
This testing is typically automated, which means millions of credentials can be tested across thousands of popular websites in a relatively short time.
O2 said its investigations into unauthorised access of some of its users’ accounts led to a reported data breach from the gaming website XSplit in 2013.
“We have not suffered a data breach,” an O2 spokesperson said.
“Credential stuffing is a challenge for businesses and can result in many company’s customer data being sold on the dark net.”
O2 said it had passed all the information it has on to law enforcement and the company continues to help with the investigations.
“We act immediately if we are given evidence of personal credentials being taken from the internet and used to try and compromise a customer’s account,” the O2 spokesperson said.
“We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves.”
Read more about password security
- A report of a cache of millions of stolen webmail credentials could finally drive more widespread adoption of two-factor authentication (2FA) say security experts.
- Here are five steps to ensure stronger passwords and better authentication to reduce the threat of business data theft.
- Yahoo Account Key uses push notifications to provide a fast and secure way to access Yahoo accounts from a mobile device.
- The Fido Alliance takes another step closer to defining a standard web-based API, as industry support for its password-killing standards gains momentum.
Each time an organisation such as XSplit is breached, any account holders who have used the same log-in details on other sites open those accounts up to compromise too.
For this reason, security experts routinely warn against using the same password to log in to multiple online accounts. Creating unique passwords for every online service means that if one is compromised, none of the others is affected.
If cyber criminals are able to find a match on other sites, they are able to log in to accounts as if they are the account holders. Consequently they are able to access all the account holder’s details.
Attackers are also able to hijack the accounts for other criminal purposes, such as committing fraud and sending spam email messages as part of a campaign to spread malware through malicious links.
Data stolen from O2 accounts accessed in this way reportedly included phone numbers, emails, passwords and dates of birth.
Simple protection measures ‘overlooked’
Kevin Cunningham, president and founder of identity and access management firm SailPoint, said password management is a critical element of security, but one many consumers and organisations are still struggling to get right.
“Many of the major security breaches that have occurred over the past couple of years have all been related to passwords,” he said.
According to Cunningham, the most obvious and simple measures – such as password managers to ensure strong and unique passwords – are still being overlooked.
“Business users are often simply unaware of the potential dangers, which will only get worse as we continue to adopt applications – both cloud and web applications – across the organisations at the rate we have been over the past couple of years, especially without any control or oversight from IT,” he said.
In June 2016, remote device management firm LogMeIn was among several suppliers that took the precautionary step of resetting some users’ log-in credentials.
It did this after cross-checking the log-in credentials of its user base against lists containing “hundreds of millions” of passwords stolen during past data breaches at LinkedIn, Tumblr and MySpace.
The main catalyst for the checks was the news in May 2016 that 167 million LinkedIn account details stemming from a 2012 breach were for sale on the dark web.
In addition to password managers, security experts have urged the use of two-factor authentication (2FA) processes wherever they are available.
“Passwords are a relic from a bygone age, and they simply don’t provide adequate protection for the volume of information we all store and access online today,” said Brian Spector, chief executive at distributed cryptography firm MIRACL, formerly known as Certivox.
“Passwords do not scale for users, they do not protect the service itself and they are vulnerable to multiple attacks,” he said.
Because it is impossible to know with absolute certainty that a password has not been compromised, security advisors say changing passwords regularly ensures that even if a password has been compromised, the exposure to risk will be minimised.