When BBC News broke the news this morning in a story headlined “O2 customer data sold on dark net” it was enough to send a shiver down the spine of millions of customers of the UK telecoms provider.
But, if you read a little deeper, you would find journalist Catrin Nye explaining that although details of some O2 customers were being offered for sale by the computer underground, it wasn’t because O2 had been hacked.
It was because *another* site had been hacked… and the passwords stolen from *that* site used to grant criminals access to further data about victims by simply logging into their O2 accounts.
Of course, none of this would happen if people hadn’t committing the cardinal sin of using the same passwords on different websites.
O2 issued a statement saying that it hadn’t suffered a data breach:
“We have not suffered a data breach. Credential stuffing is a challenge for businesses and can result in many company’s customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”
Hmm. I can understand O2 wanting to reassure the vast majority of its users, but that isn’t entirely correct. Data O2 was storing on its servers has ended up in the hands of criminals. Some O2 customers have had their privacy breached and may now be exposed to threats, although this wasn’t because of any inherent vulnerability in O2’s own security.
O2, in this instance, has not been anything like as lackadaisical with its security as other telecoms firms like – say – TalkTalk.
No. Because the only O2 customers who seem to have had their data exposed were actually victims of a security breach which happened a few years ago at a video game-streaming site called XSplit.
What appears to have happened is this. XSplit got hacked in November 2013, leaking some 2.9 million usernames, email addresses and hashed passwords.
That in itself is unpleasant, but not as bad as hackers gathering further personal information about you – such as your mobile phone number, postal address, real name and date of birth.
But what hackers frequently do these days is use a technique known as “credential stuffing” – taking the information they have stolen from one site, using it to log into another site, and then using any information they gather on any accounts they manage to access to gather additional personal information which could be used for fraud.
Nasty. And when I appeared on BBC’s Victoria Derbyshire TV show this morning discussing the incident, we heard from victims who had suffered as a result.
Avoid hacking with unique passwords says security expert @gcluley – but how to remember them? #VictoriaLIVE https://t.co/jFob9SvtHy
— Victoria Derbyshire (@VictoriaLIVE) July 26, 2016
There are a number of ways to protect yourself.
Firstly, stop reusing the same passwords on multiple sites. If you use a different password for different sites, the hackers won’t be able to use credentials they have stolen from one website to hack your other accounts.
Secondly, start using more complicated, long passwords rather than obvious dictionary words. Your passwords should be more like ^qp3;Y8JhdXdX>f#Xjic6 than password123.
Thirdly, stop trying to remember your passwords. If you followed my advice above you will find it impossible to remember your passwords. Simply use password management software like Bitwarden, 1Password, and KeePass to make passwords both safer and easier to remember.
Fourth, enable two-step verification (2SV) on any as many of your accounts as you can – it provides an additional level of protection that makes life much harder for the hackers.
Finally, I hope you have changed your passwords. Don’t leave stale passwords that break the rules above lying around on the internet.
Because if hackers were able to gain access to some O2 accounts you can bet your bottom dollar that they have also attempted to break into accounts on umpteen other sites too.
O2 is making the headlines right now, because the BBC happened to stumble across the database being sold on the dark net. But that doesn’t mean this is only a problem for O2 customers.
And that’s an important element of this story which has probably been lost in some of the newspaper headlines.
I'd add one more to the list. For sites you rarely, will never, visit again. Don't bother to vault the password. Just use a complex password and when you visit again use the account recovery features.
Sage advice.
Pwsafe user here. I have the same password for pwsafe, and it generates and requests the passwords per site.
Of course, password vaults have their own problems.
http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/
https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/
I prefer the XKCD:936 approach, myself.
I wrote about the vulnerability in LastPass here: https://grahamcluley.com/security-hole-fixed-lastpass/
Like the guy who found the vulnerability, I continue to feel that password managers are a step up in security for the vast majority of people. They're certainly a lot better than what most people are doing (reusing passwords)
Regarding the XKCD 'correctbatteryhorsestaple' approach to passwords. The problem is that that method simply doesn't scale.