According to BBC reports, O2, one of the biggest UK mobile networks, appears to have suffered a data breach. The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. Security experts at MIRACL, Lieberman Software, Comparitech.com, ESET, Veracode and Intercede commented below.
Brian Spector, CEO at MIRACL:
“This incident provides us with another reminder of just how vulnerable passwords are to being hacked. The tendency for people to choose a password for life means that setting up a cursory account on a gaming site could threaten all the private information that they store and access on the Web each day. Data theft and identity fraud is a multi-billion dollar business on the dark net, so consumers must be vigilant.
“But the bigger problem here is that the convention never changes. Until we consign passwords to the history books, data breaches will continue to feature in our news feeds. Passwords don’t scale for users, they don’t protect individual services and they are vulnerable to a myriad of attacks. Customers are usually advised to change passwords when a breach like this occurs, but that won’t protect users from database hacks. The only way to move forwards is to distribute trust across multiple points with rigorous authentication technologies, thus eliminating the single point of compromise.”
Lee Munson, Security Researcher at Comparitech.com:
“Though O2 has now denied suffering a data breach, the numerous publicised accounts of what may, or may not, have happened should act as a timely reminder to all that password security is as important as it ever has been.
“Customers of all companies can be subjected to something known as “credential stuffing,” whereby an attacker tries stolen usernames/email addresses and passwords on other popular websites and services, with the success rate of such an attack depending entirely on how savvy the victims have been with their password management.
“Given the fact that many people only have access to one or two email accounts, password variety is essential because, otherwise, if one account is compromised, all potentially are.
“That’s why password managers are so essential these days. By setting one up, all you need to remember is one complex master password – the program will securely take care of the rest for you.
“And if you are an O2 customer?
“I think it’s better to be safe than sorry – change your password now, as well as any other duplicates you may be using elsewhere on the web – if the story is false all you’ve wasted are a few minutes. If it’s true, and you don’t take care of your login credentials, you could be in for a huge amount of financial and other types of pain.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“O2 is the latest example of a lesson consumers should really have learned by now – you can’t reuse the same passwords across many sites unless you want your data stolen. This is doubly true when you’re using the same password with the same username at casual sites, e.g. some sports discussion forum, and something important to your life, e.g. your mobile service provider. People make the quite legitimate complaint that they simply manage too many sites to have unique passwords for all of them. However, simple protections like using password mangers, like the ones built into most browsers or cloud powered services like LastPass, could remove most of those issues. And it’s always good to identify a few sites, perhaps your bank, mobile provider, or a service where you shop very often, and treat those sites differently – giving them totally unique passwords. You might even want to keep those few ones in your hand, while the rest go in the browser’s memory.”
Mark James, security specialist at ESET:
“With so much data being stolen, collated and offered for sale on the darker sides of the internet it is absolutely imperative these days that you never ever use the same password on different sites. I know it’s difficult to remember unique passwords for every site you log into but there are many ways you can help yourself, a password manager is one of the best, it will remember ( and generate ) very complex unique passwords for every login you have, all you have to do is have one (complex) password to remember to access the password manager. You also have the option to use two-factor or two-step verification, if someone tries your details to log into a site that uses this option then they can’t access it using the username and password alone.
The problem with reusing passwords is when a location gets breached that does not have very good security the criminals will take that data and use it to attempt to log into websites for monetary gain. It makes no difference how good the security is for PayPal if you use the same username ( often your email address) and password on a smaller not so well protected site.
Credential stuffing is basically taking your details that you have used elsewhere, inputting them into a program that will try those details in lots of other sites looking for successful logons. If you reuse your password you are making their job easier, it’s as simple as that. There are many often free options for helping you to make your data safer that anyone can download ( for free or purchase ) and easily setup.”
John Smith, Principal Solution Architect at Veracode:
“With the dark web providing ever more enterprise opportunities for cyberattackers through the resale of personal information, it is critical that organisations of all sizes have robust cybersecurity defences to prevent their customer data being stolen and sold off. However, too many organisations continue overlook simple best practice with severe consequences, such as the TalkTalk mega breach achieved using a common SQL injection.
“Cybercrime is increasingly becoming commoditised with the rise in exploit kits and YouTube tutorials on exploiting vulnerabilities. This means launching an attack – even without personally possessing the necessary cyber skills – has never been easier.
“Hacks don’t just leave customer data at risk, they severely impact the reputation and trust in the organisation. It is therefore crucial that all possible attack vectors are closed off, before their all-important data finds its way into the wrong hands.”
Jon Geater, CTO at Thales e-Security:
“In today’s big-data fuelled world, with records such as usernames and passwords – which consumers often don’t change between websites – and email addresses, birthdates and phone-numbers also stolen – which consumers can’t change – this type of simple breach is a goldmine for hackers.
“This incident further underlines the importance for businesses to change the way they think about data protection, extending their encryption policies to cover all personally identifiable information and account data to prevent it falling into the wrong hands.”
Richard Parris, CEO at Intercede:
“Another day, another data breach. This time it’s the customers of O2 who have fallen victim and the most tragic part of the story is that it appears their security has been compromised simply by hackers recycling usernames and passwords gained from a three year old attack on gaming website, XSplit.
The customers affected by breaches of this nature are those who recycle their passwords across multiple identities but it’s time that service providers stopped blaming their customers for what is grossly inadequate security. Simple password-based authentication just doesn’t work – none of us can possibly remember enough complex passwords to make the approach viable.
“It’s imperative that organisations now reject simple password authentication and adopt secure alternatives before consumers lose complete faith in the online services provided to them. In the ‘age of the hack,’ the future of online security relies on a much more proactive stance; embedding measures into the very fabric of technology we use in our everyday lives, from the silicon chips used in smartphones, to the apps and services these sites offer. If not, will large-scale data breaches ever be a thing of the past?”
In an independent survey of 2,000 16-35 year old consumers it was revealed that very few place any significant trust in companies’ ability to protect their personal data. For telecommunications operators 40% described their level of trust as ‘none’ or ‘a little’.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.