Vodafone hacker steals data of two million customers

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

VodafoneVodafone in Germany has found itself in the awkward position of admitting to two million customers that a hacker has stolen their personal information.

Although the hacker did not manage to get their hands on customers’ passwords, mobile phone numbers or PIN codes, they did access users’ names, genders, addresses, dates of birth, bank account numbers and sort codes.

In its official statement, Vodafone Germany expressed its regret and attempted to reassure affected customers by saying:

“It is hardly possible to use the data to get directly access to the bank accounts of those affected”

Warning from Vodafone Deutschland

Well, perhaps that’s true. It’s certainly the case that things would have been much worse if passwords and PIN codes had been include in the hoard stolen by the hacker.

However, the information that was taken are still valuable pieces of information for an identity thief, that can help them piece together a carefully engineered attack designed to impact innocent people.

Sign up to our free newsletter.
Security news, advice, and tips.

When you tell a company like Vodafone your address and date of birth, you have an expectation that they will secure the information properly – and that it won’t fall into the hands of hackers.

By the way, although Vodafone Germany’s advisory is ambiguous about whether email addresses were also grabbed by the hacker, seeing as the company is warning of the risk of phishing I think it would be sensible to assume that they could have also been compromised.

The BBC reports that the German authorities have already identified and searched the property of a suspect, and one has to hope that this might indicate that the stolen information has not been distributed through the computer underground.

But let’s not relax too much. This hack shouldn’t have taken place in the first place, and Vodafone will hopefully be investigating as a matter of priority how it managed to occur.

Vodafone, one imagines, will be keen to check whether the vulnerability that allowed a hacker to access details of its German customers is also present on its many other sites around the world.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.