Vodafone warns some customer accounts were breached, potential for fraud and phishing attacks

Graham Cluley
Graham Cluley
@[email protected]

VodafoneUK telecoms operator Vodafone has revealed that the personal details of some 1,827 customers have had their personal information accessed by hackers, who broke into accounts between midnight on Wednesday 28 October and noon the following day.

Vodafone says that its security systems were “fundamentally effective”, but that fraudsters could have accessed the following details from compromised accounts: the customer’s name, their mobile telephone number, their banking sort code, and the last four digits of their bank account.

Understandably, in light of the high profile TalkTalk hack and the prominent appearances of its CEO Dido Harding failing to win over concerned customers in numerous media interviews, the one message that Vodafone wanted to get across was that its own systems “were not compromised or breached in any way.”

Vodafone notice

Instead, as with the British Gas password scare from earlier this week, the implication is that the login credentials for the 1,827 accounts might have fallen into the criminals’ hands through a different route.

Perhaps, and this is easy to believe, those accounts had made the mistake of reusing the same password for their Vodafone account as they were for another website – and it was that *other* website that got hacked, and the bad guys are just exploring what other accounts they might be able to unlock?

Sign up to our free newsletter.
Security news, advice, and tips.

It’s just a theory, of course, but we do know that many many people make the cardinal sin of reusing passwords.

Vodafone is keen to stress that it does not believe the stolen data on its own will be enough to access the bank accounts of affected customers, but it is easy to imagine that it could be used as a stepping-stone for identity theft and that carefully-crafted phishing campaigns could follow:

No credit or debit card numbers or details were obtained. The information obtained by the criminals can not be used directly to access customers’ bank accounts. However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts.

Vodafone says it is contacting affected customers, and that no other users are affected by the incident. For further information, check out the statement from Vodafone.

Unfortunately, like TalkTalk, Vodafone does not have an entirely unblemished record when it comes to securing its customers’ data. In 2013, Vodafone in Germany revealed that a hacker had stolen the personal information of some two million customers.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.