British Gas customers have become the latest to fall victim to a data breach, after their email addresses and account passwords were published online. Around 2,200 people were affected, when the details were posted to the document-sharing site Pastebin. They have since been removed, but customers are worried they may have been exposed.
The BBC reported that British Gas has emailed all the customers affected and disabled their accounts. They have asked customers to call them or go online to reset their passwords.
The company has been keen to point out that no bank account or payment card details were published. It added in the email: "I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk. As you'd expect, we encrypt and store this information securely. From our investigations, we are confident that the information which appeared online did not come from British Gas."
According to ITV, experts have speculated that if the British Gas systems had not been breached, the information could have been obtained from a separate data breach - which the hackers used to check whether people had used the same details to log into their British Gas account. Alternatively they could have harvested them from phishing or vishing attacks- simply asking people for their login details.
Are you at risk?
However the data was uncovered, anyone who has been affected needs to be alert to the threat of fraud. The criminals could potentially have used the logins to see customers' names, addresses and past energy bills. This could provide them with vital information for a bigger scam.
If they are armed with an email and password, they can simply try internet banks, shops and other accounts, using these details, and if you have used the same password on anything sensitive they could potentially gain access. It means that anyone affected should take the precaution of changing their password for everything.
Even if you have not been hit by this attack, it highlights the risk of failing to use unique and unguessable passwords for everything online. If you tend to use the same passwords for everything, this attack demonstrates the risk involved, so it's worth going into each account and changing the password.
It can be tricky to remember multiple passwords, but it's important to keep them unique and not to write them down.
One option is to pick a base password and tailor it for each site, perhaps by adding the first two consonants and the first two vowels of the service. If, for example, the base password is 'IFL' your password for Amazon would be 'IFLMZAA' - which anyone would be hard pressed to guess. Alternatively, you can invest in software that generates smart passwords and remembers them for you each time you visit a site.
It's slightly more complicated than just using your mother's maiden name for everything - but it's far harder for anyone to guess or exploit.