Hackers selling stolen consumer data from UK telco O2 on dark web: report
28 Jul 2016
Hackers who gained access to customer data on UK telco O2 have put it up for sale on the dark web.
According to commentators, the compromised data is likely to have been obtained by using usernames and passwords stolen from gaming website XSplit three years ago to log onto O2 accounts.
When the login details matched, a process known as "credential stuffing" allowed the hackers to access O2 customer data.
Hackers were able to get hold of all kind of sensitive data including dates of birth, phone numbers, emails, and passwords from O2 using the tactic, which ultimately relied on password reuse.
The same password re-use problem exposed to attack on other third-party websites.
O2 – which stressed that it had not suffered a breach itself, had reported the case to police. The telco said, ''We have not suffered a data breach. Credential stuffing is a challenge for businesses and can result in many company's customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.''
''We act immediately if we are given evidence of personal credentials being taken from the Internet and used to try and compromise a customer's account. We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves.''
Meanwhile, following yesterday's breach industry professionals had offered their reaction and analysis and called for moving towards two factor authentication. They also fault users who use the same login credentials across sites.
James Romer, chief security architect Europe, SecureAuth said, ''The O2 data leak must be a stark wake up call for businesses who continue to rely on traditional username and password authentication alone, IT ProPortal reported. We all know that using the same password / username credentials across multiple sites is bad idea, yet it still happens far too often. Users have difficulty remembering different passwords for the multitude of needs of our online lives, so they default to using the same password over and over and it's generally something simple. How many times has 1234 topped the most common password list?
''However, bad actors are taking advantage of this laissez faire attitude, trying stolen credentials not just on one site but a number, even employing botnet which automate the process. Where the same credential combinations are repeatedly being used across a number of accounts, it's the equivalent of a skeleton key to your online life.
''Organisations must move away from the current reliance on a single point of authentication to multifactor, or even better, continuous authentication. Not only does this render stolen credentials completely worthless across the breached site, it also means they cannot be used to compromise users more broadly.''