O2 customer data found for sale on the dark web

But firm denies it's been hacked

O2 customer data has been found for sale on the dark web, but the mobile operator has denied that it's been the victim of a breach.

The BBC learned about the data haul, which includes O2 users' personal information such as names, phone numbers, date of birth, email addresses and passwords, after an ethical hacker found it listed on the dark net market.

O2 has denied that it has been hacked and said the information was "almost certainly" obtained by exploiting usernames and passwords first stolen from gaming website XSplit three years ago.

By successfully matching log-in details, the cyber criminals could then access O2 customer data. This process is called 'credential stuffing'.

"Credential stuffing is a challenge for businesses. We act immediately if we are given evidence of personal credentials being taken from the internet and used to try and compromise a customer's account," an O2 spokesperson said.

"We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves."

O2 customer Hasnain Shaw, whose account details were among those on sale, explained that his data had already been used by hackers to access more accounts.

"I was away from home when eBay contacted me to say there was some suspicious activity on my account. I checked and it looked like there were cars for sale on my account," Shaw told the BBC.

O2 has said that it has notified customers affected by the leak, and that it is helping law enforcement with an investigation.

James Romer, chief security architect at SecureAuth, warned that this latest leak should be a "stark wake up call for businesses".

"We all know that using the same password/username credentials across multiple sites is bad idea, yet it still happens far too often," he said.

"Users have difficulty remembering different passwords for the multitude of needs of our online lives, so they default to using the same password over and over and it's generally something simple.

"Organisations must move away from the current reliance on a single point of authentication to multifactor, or even better, continuous authentication. Not only does this render stolen credentials completely worthless across the breached site, it means they cannot be used to compromise users more broadly."