Lurking in the shadows of the dark net users can buy guns, drugs, tigers and, more recently, o2 customer details. The personal details of o2 customers have been making the rounds for sale on the dark net and it can affect more than just their o2 accounts. The lessons from the breach are ones that everyone should be paying attention to – and affect more of us than you would think!
The dark net is a part of the internet that can’t be reached by traditional search engines. Although it sounds super dodgy – and is infamously used by criminals – it’s also used for lots of other reasons, like users worried about privacy (and in the wake of the Snowden revelations that’s many of us) and those that need to stay anonymous for their own safety, like journalists’ sources or political dissidents.
Mike Godfrey from Insinia Security found the data for sale on a dark net market, and includes users’ phone numbers, emails, passwords and dates of birth.
It’s looking likely that the data was nabbed using usernames and passwords that were first nicked from gaming website XSplit three years ago – attackers keep trying different combinations to crack into new accounts using the stolen details, and when the login and passwords match they get access.
The users that are affected have been notified, but the problem goes deeper than that. It shows the importance of good password practice, as the info could be used to breach other accounts if users share login info across different accounts; some of the affected users have already been alerted by other sites saying that there has been suspicious activity on their accounts, which means the attackers wasted no time trying to get as much out of the data as possible.
Computer security expert Graham Cluley said that this is pretty common after a grab: “One of the first things the criminals will try to do is see if any stolen passwords might unlock other sites online – potentially spilling more secrets about us, and opening us up to fraud and identity theft.” Have a little think – do you use any of your passwords across several accounts?
One of the biggest reasons for this is that it’s hard to remember more than one, and they all have to be about 5million letters long and contain three hundred thousand special characters.
Luckily help is at hand with a password manager – it’ll generate and store the passwords for different accounts, so you only have to remember and protect with your life the password for your password manager (pretty meta right?).
Two Factor Authentication (2FA) is another important part of the protection process – it’s using a second type of login – usually using something that you have on you, like your phone or a USB stick. When you log into an account you put in the password as usual, then it sends a code to your phone, for example, that you also put in before it’ll grant you access. UKFast clients can enable 2FA on their MyUKFast accounts so give it a go!
Find out more about protecting your solution with our security web page.