O2 customer details being sold on the dark web

The network hasn't suffered a breach, but its customers have been targeted by hackers who have stolen their login details from elsewhere.

O2 is working with law enforcement to try and keep its customers safe.
Tim Whitby/Getty Images/O2

Data belonging to customers of UK phone network O2 has been discovered for sale on the dark web.

The discovery was made by an unnamed ethical hacker, who reported his findings to the BBC, which then investigated the data further and revealed its findings on Tuesday.

O2 itself did not suffer a security breach, but customers who use identical usernames and passwords on multiple online accounts were left exposed. Using login details that were most likely stolen from the gaming website XSplit three years ago, hackers were able to compromise O2 accounts with matching details.

Access to the O2 accounts allowed the hackers to bundle together users' phone numbers and dates of birth with the usernames and passwords and put them up for sale. This technique is known as "credential stuffing". It relies on bulking out the original stolen data with additional data swiped from other accounts to make it more valuable to buyers on the dark web.

This sinister-sounding portion of the internet is accessed through alternative browsers, often for nefarious means, including the buying and selling of illegal items, or items that have been obtained illegally. Stolen data exchanged on the dark web is often used for identity fraud. For O2 customers who also used XSplit at some point, this means they could be targeted by identity thieves. It's also possible that other online accounts they use have the same username and password combinations and could also have been compromised.

To verify the accounts being sold on the dark web were real, the BBC purchased a selection and checked to see if the username and password combinations belonged to genuine people. All O2 customers whose accounts were bought by the BBC have been informed, and the BBC and O2 have passed all the details they have on to law enforcement.

"We act immediately if we are given evidence of personal credentials being taken from the internet and used to try and compromise a customer's account," an O2 spokesman said in a statement. "We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves."

If you're worried about your identity theft or your details being compromised, consider changing your password, using a password manager in order to allow you to remember multiple different passwords for different accounts and also enable two-step verification whenever it is available.