SSL Certificate

O2 Customer Data On Sale On The Dark Web, O2 Denies Breach

August 1, 2016 | By Comodo SSL

Customer data belonging to O2 is being offered for sale on the dark web by cyber criminals. O2 has however denied any data breach.

Cyber security experts state that this data breach is a case of credential stuffing, where hackers use data stolen previously from elsewhere to hack new targets. In this case, the hackers used data that had been stolen earlier in 2013 from a gaming website. In the credential stuffing process, cyber criminals use a software that uses the stolen login credentials to repeatedly attempt login into new targets. Hackers had been quite successful in this case. They were able to steal important credentials – names, passwords, date of birth, emails and phone numbers. Access to so much sensitive data is a massive bonus for hackers. This stolen data is now for sale on the dark web.


Sensitive customer data can be used for fraud and identity theft. Credential stuffing is used as a standard attempt by hackers and state-supported groups to steal credentials.

A small sample of the customer data was purchased by BBC reporters to investigate and verify the data. Analysis of the data and contacting users confirmed that the data were valid. Users agreed that they had used the same password for both accounts.

This case focuses on the importance of following a password policy. Never use the same password for different logins. Use a strong password that is a mix of lower and upper case alphabets, numerals, and special characters or pass phrases. The password should not make any sense and should preferably be longer than 12 characters. Remembering the numerous login ids and their passwords is quite difficult, however it is a practice that must be diligently followed to prevent any account breaches.

Lack of SSL or a robust SSL certificate that could not protect the webpages at O2 could have been a major vulnerability that allowed the hackers to attack and steal user data. Organizations must take the responsibility and protect user data by using appropriate SSL certificates. Furthermore, as the issuer of the certificate (Certificate Authority CA) also matters, it is recommended to acquire SSL certificates only from CAs of good repute.


<< Healthcare government website issues are being fixedMozilla intros plug n hack to favor ssl certificate encryption >>

Posted in SSL Certificate

Be Sociable, Share!

Leave a Comment


* fields are mandatory