Vodafone warns some customer accounts were breached, potential for fraud and phishing attacks

Graham Cluley
Graham Cluley
@[email protected]

Vodafone UK telecoms operator Vodafone has revealed that the personal details of some 1,827 customers have had their personal information accessed by hackers, who broke into accounts between midnight on Wednesday 28 October and noon the following day.

Vodafone says that its security systems were “fundamentally effective”, but that fraudsters could have accessed the following details from compromised accounts: the customer’s name, their mobile telephone number, their banking sort code, and the last four digits of their bank account.

Understandably, in light of the high profile TalkTalk hack and the prominent appearances of its CEO Dido Harding failing to win over concerned customers in numerous media interviews, the one message that Vodafone wanted to get across was that its own systems “were not compromised or breached in any way.”

Vodafone notice

Instead, as with the British Gas password scare from earlier this week, the implication is that the login credentials for the 1,827 accounts might have fallen into the criminals’ hands through a different route.

Perhaps, and this is easy to believe, those accounts had made the mistake of reusing the same password for their Vodafone account as they were for another website – and it was that *other* website that got hacked, and the bad guys are just exploring what other accounts they might be able to unlock?

Sign up to our free newsletter.
Security news, advice, and tips.

It’s just a theory, of course, but we do know that many many people make the cardinal sin of reusing passwords.

Vodafone is keen to stress that it does not believe the stolen data on its own will be enough to access the bank accounts of affected customers, but it is easy to imagine that it could be used as a stepping-stone for identity theft and that carefully-crafted phishing campaigns could follow:

No credit or debit card numbers or details were obtained. The information obtained by the criminals can not be used directly to access customers’ bank accounts. However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts.

Vodafone says it is contacting affected customers, and that no other users are affected by the incident. For further information, check out the statement from Vodafone.

Unfortunately, like TalkTalk, Vodafone does not have an entirely unblemished record when it comes to securing its customers’ data. In 2013, Vodafone in Germany revealed that a hacker had stolen the personal information of some two million customers.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.