Customer logins for British Gas customers published online as company reportedly denies system breach
British Gas has found itself at the centre of an incident that has seen customer login details published online.
A number of customer logins were briefly published to the document-sharing site Pastebin, before they were removed. But British Gas has denied it was hacked.
Not A Hack
British Gas has contacted about 2,200 of its customers, according to the BBC. The firm warned the customers that their login data had been published online, which will have revealed the users’ actual names, their addresses and even their past energy bills.
However, it is not thought at this time that the bank account and card details were revealed.
The firm says it has already disabled the affected accounts and customers are being asked to contact British Gas by telephone or securely reset their passwords via the company’s website.
“I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk,” the BBC quoted a British Gas email to customers.
“As you’d expect, we encrypt and store this information securely,” it added. “From our investigations, we are confident that the information which appeared online did not come from British Gas.”
TechweekEurope contacted British Gas, but the company said it would not be issuing a statement at this time.
So if British Gas was not hacked, then how exactly were the login details published online?
Well, with no official comment from British Gas, it is hard to say. It is possible a third party system may have been compromised somewhere else. Criminals could have taken the passwords from another data breach and checked to see if people used the same login details on the British Gas site.
Or it could be that users were fooled into keying in their login details after a phishing email that falsely claimed to be from British Gas.
At least one security expert said that British Gas needs to investigate the incident.
“It’s essential that British Gas investigates this breach thoroughly and does not rush the analysis,” said Justin Harvey, CSO of Fidelis. “With its customers at risk and reputation at stake, it needs to determine how attackers have accessed these credentials.”
“With rumours of phishing attacks and the fact that the data breach could have stemmed from a third party, the cause of the breach may point to some best practice education that needs to be done or perhaps more rigorous checks for partner companies,” said Harvey. “Companies, like British Gas, can also implement unique ways to authenticate their customers, apart from simple passwords.”
“While British Gas should be praised for detecting the breach and providing customers with support, it highlights the need for consumers to do their own due diligence,” he added. “With so many companies falling victim of breaches, there is a high chance that at one point credentials may be exposed – whether that be an email address, password or account information. This makes poor password habits – such as re-using the same password and email address combination – one of the easiest attack vectors for hackers as exposed credentials can be correlated. Every re-used password puts a user at greater risk of being compromised.”
“Avoiding password re-use can be a laborious task for consumers, but there are tools that can alleviate the burden of constantly changing and remembering different passwords,” Harvey said. “One option is to use a tool which creates a centralised store of passwords and generates random, strong and unique passwords for each online service. If you go down this path, however, it’s wise to pick a very long, complex password to access the store, so as to ensure the ‘keys to the kingdom’ are protected.”
The British Gas incident comes after a number of high profile breaches and hacks of late.
Earlier this week Marks & Spencer had to briefly suspend its website, after “technical difficulties” exposed customer information to other website users. It insisted that its website had not been hacked.
But far more serious are hacks that affected companies such as TalkTalk. The ISP confirmed that customer data had been stolen after a “significant and sustained” cyberattack on its website earlier this month.
Police later arrested a 15-year-old boy in Northern Ireland in conjunction with the attack.
The Carphone Warehouse also suffered a serious data breach in August.
What do you know about Internet security? Find out with our quiz!