According to the BBC, UK energy provider British Gas has just contacted 2200 customers to warn them that their passwords may have been exposed.
Apparently, the email addresses and passwords of affected users showed up on popular data dumping site Pastebin.
If the passwords were valid, crooks who downloaded the dumped password data would almost certainly have been able to retrieve additional personal information, such as account history, simply by logging in to each account.
That sort of “data mining” can often be automated, of course, but scraping the affected accounts won’t work any more in this case, because those accounts have been blocked.
With nearly 15 million customers, you’d probably expect a British Gas data breach to deliver more dramatic results than just 2200 passwords.
But a mini-leak of this sort can be explained in several ways:
- Crooks sometimes provide a “freebie” sample before offering stolen data for sale in bulk.
- The passwords could come from a phishing campaign, and not involve a server breach at all.
- Crooks often try passwords from one breach against multiple sites, to catch out people who re-use passwords.
What about British Gas?
British Gas told the BBC:
From our investigations, we are confident that the information which appeared online did not come from British Gas.
There’s no reason to disbelieve British Gas, which rules out (1) above.
And a phishing campaign that targeted British Gas (2) would very likely involve asking victims for more than just their password, and thus yield more data.
So, at this point, reason (3) seems a likely explanation.
One account, one password
If your password was exposed in the Ashley Madison breach, for example, crooks could already have tried to login as you on numerous other sites, either to go after additional data, or simply to build up a bigger portfolio of passwords for sale.
In other words, when we say, “ONE ACCOUNT, ONE PASSWORD,” we really mean it.
Note that choosing a super-strong password doesn’t help if you then use it on several sites, because that means your strong password is only as good as the security of the weakest site.
If you can only reliably remember one really decent password, try using a password manager, where the master password unlocks all your other passwords.
To summarise:
- Make your passwords hard to guess. Don’t use nicknames, birthdays, pets, and so on.
- Go as long and complex as you can. Aim for 14 mixed-up characters, or even more.
- Consider using a password manager. These can remember passwords like Vg@53p/OhHn9Dl;7 as easily as you remember PASSWORD1.
- One account, one password. Don’t let one accounts’s sloppy security undermine all your other accounts.
Learn more
💡 Is it *really* such a bad idea to use a password twice? ►
💡 How to pick a proper password ►
💡 Storing passwords safely ►
(No video? Watch directly from YouTube. No audio? Click on the Captions icon.)
Bryan
typo 5th paragraph, s/that/than
Duck, thanks for all the great posts; keep ’em coming!
Anna Brading
Good spot! Fixed now :-)
tartanrose
Thank You for yet another excellent post.
By the way……………..loving the hat!
Paul Ducklin
I acquired the hat for the 5th Birthday photo. It came from a party shop, all covered in sparkly silver glitter. (The hat, not the shop.)
With GIMP’s help, I made it Sophos Blue. Sort of.
tartanrose
Thanks for your reply and info.
I had never heard of GIMP before so checked it out…………funny sometimes the roundabout way we hear of things!
Anyway I think you definitely got pretty close to Sophos blue with the end result. It’s in the same family anyway.
I hope you have a fantastic week ahead…………Rosie