Popular BBC presenter Victoria Derbyshire made a shocking discovery on her programme, when it came to light that O2’s customer’s data had been stolen and was now for sale on the dark net. Login details stolen from gaming website Xsplit 3 years ago, worked for hackers when they attempted to log onto O2 accounts, and in a process known as credential stuffing, hackers could access data for selling. it is thought that the credential stuffing technique will not have only targeted O2 and is likely to have been attempted on other companies as well. Customers who thought their data was safe may find themselves at the heart of another hacking scandal, just like the one at TalkTalk last year. Going undercover, Victoria Derbyshire and the BBC purchased a small amount of data from the seller and found it to be information such as date of births, email addresses, phone numbers and passwords. The information was shown to the BBC team by an ethical hacker, who themselves had scarily found the information for sale on the dark net. As many already know, the dark net can only be accessed through specific web browsers and is used mainly for activity that is illegal in nature, which makes it difficult for the hackers to be identified.
This method of hacking doesn’t take much skill and basically just involves the hacker repeatedly trying different log in details until they can successfully access an account and steal data. Now that the BBC have accessed some information, they are helping to assist O2 and the police in their inquiries. It is believed that an access and retrieving of data from gaming website xSplit in 2103 is what has contributed to the O2 hack. The BBC has assured the public that any O2 customers that have been jeopardised as a result of the attack have been informed, and told to change all passwords as many people have the same password for a number of different accounts and companies online. BBC are warning that this hack may have caught out people who thought they were secure online and that passwords should be changed to take precautions. O2 were keen to assure customers that they had not suffered a data breach and that credential stuffing was sadly an ongoing problem for businesses. They want their customers to know that they take security extremely seriously and are working with police to resolve the case and make sure affected customer’s needs are dealt with correctly.
Although the issue may be being investigated, computer security specialists believe that the act of credential stuffing proves that simply having a username and password to access accounts is not enough, especially when that same password is used on several different accounts by the same user. It is now common knowledge that using the same username and password across several accounts, but the O2 data hacking is proof that it is still happening all too often. hackers now know that if they have one account’s login details, they are likely to be able to have the same success on another account. The traditional method of username and password is now no longer enough to protect consumers, particularly as hacker’s technology continues to improve. Security firm SecureAuth has recommended that whilst inconvenient and time consuming, constant re-authentication when logging into an account may be necessary to protect details and data.