British Gas in “password breach” quandary

According to the BBC, UK energy provider British Gas has just contacted 2200 customers to warn them that their passwords may have been exposed.

Apparently, the email addresses and passwords of affected users showed up on popular data dumping site Pastebin.

If the passwords were valid, crooks who downloaded the dumped password data would almost certainly have been able to retrieve additional personal information, such as account history, simply by logging in to each account.

That sort of “data mining” can often be automated, of course, but scraping the affected accounts won’t work any more in this case, because those accounts have been blocked.

With nearly 15 million customers, you’d probably expect a British Gas data breach to deliver more dramatic results than just 2200 passwords.

But a mini-leak of this sort can be explained in several ways:

  1. Crooks sometimes provide a “freebie” sample before offering stolen data for sale in bulk.
  2. The passwords could come from a phishing campaign, and not involve a server breach at all.
  3. Crooks often try passwords from one breach against multiple sites, to catch out people who re-use passwords.

What about British Gas?

British Gas told the BBC:

From our investigations, we are confident that the information which appeared online did not come from British Gas.

There’s no reason to disbelieve British Gas, which rules out (1) above.

And a phishing campaign that targeted British Gas (2) would very likely involve asking victims for more than just their password, and thus yield more data.

So, at this point, reason (3) seems a likely explanation.

One account, one password

If your password was exposed in the Ashley Madison breach, for example, crooks could already have tried to login as you on numerous other sites, either to go after additional data, or simply to build up a bigger portfolio of passwords for sale.

In other words, when we say, “ONE ACCOUNT, ONE PASSWORD,” we really mean it.

Note that choosing a super-strong password doesn’t help if you then use it on several sites, because that means your strong password is only as good as the security of the weakest site.

If you can only reliably remember one really decent password, try using a password manager, where the master password unlocks all your other passwords.

To summarise:

  • Make your passwords hard to guess. Don’t use nicknames, birthdays, pets, and so on.
  • Go as long and complex as you can. Aim for 14 mixed-up characters, or even more.
  • Consider using a password manager. These can remember passwords like Vg@53p­/OhHn­9Dl;7 as easily as you remember PASSWORD1.
  • One account, one password. Don’t let one accounts’s sloppy security undermine all your other accounts.

Learn more

💡 Is it *really* such a bad idea to use a password twice? ►

💡 How to pick a proper password ►

💡 Storing passwords safely ►

(No video? Watch directly from YouTube. No audio? Click on the Captions icon.)