Another major company finds itself scrambling in response to news of a breach that really wasn’t. On Tuesday, the BBC reported that customer data belonging to U.K. telecom firm O2 was being sold on the dark web. After a slew of subsequent media reports blared headlines of O2’s “data breach,” the company responded with a statement that its systems were not hacked, but that usernames and passwords (which many people use to access multiple online accounts) from another intrusion had been used by fraudsters to gain access to O2 accounts and harvest information that was being sold. The practice is commonly referred to as account takeover, but O2 used the term “credential stuffing” to describe what is happening to its customers.
“We have not suffered a data breach,” an O2 spokesperson said in a statement. “Credential stuffing is a challenge for businesses and can result in many company’s customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”
Last year, Starbucks endured a similar challenge when fraudsters, who gained access to user accounts with credentials obtained from another source, drained the value stored on their Starbucks Cards and emailed themselves gift certificates.