British Gas logins exposed online

Company doesn’t believe its systems were breached.

British Gas has contacted about 2,200 of its customers to warn them that their email addresses and account passwords were posted online.

It says, however, that it does not think its own systems were breached.
The affected accounts have been disabled following the discovery.
No bank account or payment card details would have been revealed, but the logins could have been used to view users’ names, addresses and past energy bills.
An email sent to affected customers states: “I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk.
“As you’d expect, we encrypt and store this information securely.
“From our investigations, we are confident that the information which appeared online did not come from British Gas.”
The BBC understands that British Gas – which is owned by Centrica – wrote to the account holders before checking if all of the published passwords worked, so it is possible that a smaller number of accounts were actually put at risk.
The details were posted to the document-sharing site Pastebin before being removed.
British Gas has about 14.7 million customer accounts, so the affected number represents a small fraction of its clients.
If the firm was indeed not at fault, it is possible that the perpetrators obtained the passwords from another data breach and then checked to see if some people had used the same details to log into British Gas’s site.
Another possibility is that the users were targeted by a phishing campaign and had been fooled into revealing their details.
Affected users are being asked to make contact by phone or to securely reset their passwords via the company’s website.
The alert follows Tuesday’s Marks and Spencer’s website glitch that allowed customers to see each other’s details, and a hack attack on TalkTalk’s website last week that the telecoms firm has acknowledged could have revealed users’ bank details and personal information.