Telecommunications company O2 (Telefonica UK Limited) is in hot water after data belonging to its customers went up for sale on the dark web. While O2 itself claims to not have been breached, the hackers still managed to get their hands on credentials that allowed them access to a wealth of customer information. However, that’s due to negligence of its customers following a hack of an unrelated site.

The hack itself was performed through “Credential stuffing,” a kind of attack made possible when customers use the same credentials on multiple sites. When the gaming website XSplit was breached three years back, enough customers used the same credentials and login information for O2 to make their accounts ripe for hacking.

Info Security Magazine notes that customers affected by the incident have been seeing issues on other online accounts, as they use the same or similar credentials on multiple websites. Some are seeing cars they don’t own up for sale on eBay, while others are seeing fake sales on Gumtree.

The stolen information includes phone numbers, birth dates, and of course, email addresses and passwords. That’s more than enough information to steal someone’s account on any number of websites, particularly if they use the same passwords. When one gets stolen, the rest are jeopardized as well, which is what makes it so important that passwords are not repeated across websites.

O2 has already passed on any pertinent information to law enforcement, and is assisting in the investigation.

This kind of data theft is exactly why people are warned to change their passwords on multiple websites when one gets breached, and to avoid repeating passwords. Without strong, unique passwords on each site, a single breach can turn into hacks and thefts across every other site using identical credentials.

And no, it’s not okay to use “Password” for one site, then “Password1” for the next. Passwords such as that constantly top the list of “most common and easily guessed” passwords – and don’t even get started on “12345.”

If you’ve ever been the victim of a data breach, learn from this and avoid being the victim of credential stuffing. When one password changes, the rest must too.

Photo by cafecredit