back to article O2 customer data grab: Not-a-hack creds for sale on dark web

Hackers have gained access to customer data on UK telco O2 – and put it up for sale on the dark web. The compromised data was likely obtained by using usernames and passwords stolen from gaming website XSplit three years ago in order to log onto O2 accounts. When the login details matched, the hackers could access O2 customer …

  1. W Donelson

    Passwords and Human Nature

    Trying to enforce a behaviour (different passwords for every site) on everyone is doomed to fail.

    We need a better system, and it's not clear that biometrics are ultimately more secure.

    1. Hans Neeson-Bumpsadese Silver badge

      Re: Passwords and Human Nature

      The problem, for me, with biometrics is that when (not if) data gets compromised, there isnothing I can do to change my credentials. If a password or PIN gets compromised, I can change that...if somebody gets hold of a scan of my eye, then having an eye transplant so that I can restore a level of secrecy is too big an ask.

      1. Anonymous Coward
        Anonymous Coward

        Re: Passwords and Human Nature

        If a password or PIN gets compromised, I can change that...

        Which is why biometrics should only be used for usernames and not passwords.

        1. Midnight

          Re: Passwords and Human Nature

          Indeed. A password should always be something as undeniably private and secure as "What is the street you grew up on?" or "What is your pet's name?"

          1. PNGuinn
            Facepalm

            Re: Passwords and Human Nature

            " A password should always be something as undeniably private and secure as "What is the street you grew up on?" or "What is your pet's name?"

            Nothing inherently wrong with those questions, apart from the subtle prompting to give an honest answer.

            "Commiefascisttonyhangthebastard"* for example, would do quite well as an answer to both questions.

            * Any possible connections to any persons or animals real or fictitious, living, dead or yet to be born are purely coincidental.

    2. allthecoolshortnamesweretaken

      Re: Passwords and Human Nature

      " ... it's not clear that biometrics are ultimately more secure."

      It's pretty clear that biometrics are not "more secure". At least until you master the trick of growing back a finger or an eyeball, and with different unique characteristics as well. Because the database that holds your biometric information will be hacked at some point.

  2. Anonymous Coward
    Anonymous Coward

    Credentials aren't the only thing being nicked...

    From the original BBC News article this morning which broke the story (http://www.bbc.co.uk/news/technology-36764548):

    "The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data in a process known as "credential stuffing"."

    From Mr Leyden's carefully crafted piece which doesn't even acknowledge the BBC source:

    "The compromised data was likely obtained by using usernames and passwords stolen from gaming website XSplit three years ago in order to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data through a process known as "credential stuffing"."

    I've not bothered to compare the rest but this looks like pretty shoddy "journalism".

    1. Anonymous Coward
      Anonymous Coward

      Re: Credentials aren't the only thing being nicked...

      Geeze; I had no idea when I ripped something off and rephrased it it was so obvious; they're so similar it'd be worth diffing!

      1. Hans Neeson-Bumpsadese Silver badge

        Re: Credentials aren't the only thing being nicked...

        Geeze; I had no idea when I ripped something off and rephrased it it was so obvious;

        You are Donald Trump's wife, and I claim my $5

    2. tfewster Silver badge
      Facepalm

      Re: Credentials aren't the only thing being nicked...

      Another facepalm line from the Beeb report was:

      "He said he had used the same email address and password for both these accounts and the one with O2, but has since changed them. Before this happened he had considered himself secure online and internet-savvy."

      I wonder what he thinks 'insecure' and 'ignorant' look like? "Oh yah, my usual password is 'password', but for IMPORTANT sites I use 'Password1' "

      1. PNGuinn
        Joke

        'Password1'

        Nah - far too obvious. REAL savvies use 1Password.

        Fools 'em every time.

  3. Version 1.0 Silver badge

    Too much data

    All too often I'll create an account for something and find that they "need" all sorts of information before the account is valid ... and then if I get bored with the account and stop using it, it lives forever. The chances are that most of the people with accounts on the original site stopped using them after a few months.

    1. paulf Silver badge

      Re: Too much data

      FTA: "The incident underlines the dangers of password reuse, particularly among consumers."

      It also shows the danger of reusing the same Date of Birth and address between websites too.

      Unless a website can completely justify things like DOB (e.g. Online Banking) they have no reason to demand it as it's only going to be used for things like reclaiming your account should you lose access to it. Really it's just a second password so use any suitable date as long as you can remember it.

  4. Paul Anderson

    "bad actors are taking advantage of this laissez faire attitude". Really ? I didn't know Andie MacDowell was a hacker.

  5. Chris 125

    This article reads awfully like it's O2's fault. I'd be pretty annoyed if I were them, surely this is like someone leaving their keys on their doorstep and then an article appears saying "Yale locks are crap, I could let myself right in to this house"

  6. JimmyPage Silver badge
    Stop

    LastPass*

    Job done.

    *Other password managers are available.

    1. Anonymous Coward
      Boffin

      Re: LastPass*

      Or not, as the case may be:

      http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019