VIDEO: Password scare for some British Gas customers


BBC News is reporting that British Gas has contacted some 2,200 customers after finding their passwords and email addresses posted anonymously online on the document-sharing site Pastebin.

But don't be too quick to reach for your pitchforks and cheesewires just yet, because British Gas's IT security team may not deserve to be hung up from the lampposts.

According to the report, British Gas appears to be pretty emphatic in its email to affected customers that it has *not* suffered a security breach, and that it does not believe the data originated with them:

"I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk. As you'd expect, we encrypt and store this information securely. From our investigations, we are confident that the information which appeared online did not come from British Gas."

Instead, it seems the finger of blame is being pointed either at customers reusing the same password in multiple places on the net, or that a couple of thousand customers fell for a phishing attack.

There definitely is a huge problem with many people using the same password for multiple places. The fundamental flaw with that approach is that if malicious hackers manage to steal your password in one place, you can be pretty sure that they will then try to see if it will also work against your email address, your eBay account, and who knows where else...

Password reuse is a huge problem. In fact, I would argue that it is a bigger problem than choosing dumb, obvious passwords.

So, the sensible approach is to use different passwords for every online account you have. And, if like me, you think you will never be able to remember all those complex, unique passwords - well, get yourself a password manager program to do the hard work for you.

Of course, things aren't helped much by British Gas's aversion to password managers.

You can see what I have to say about the British Gas incident, and hear more about my advice for computer users, in my latest YouTube video.

If you would like me to make more videos, please consider subscribing to my YouTube channel.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

3 Responses

  1. drsolly

    October 29, 2015 at 2:07 pm #

    Password reuse is *the* password problem, much much bigger than people using simple passwords.

  2. coyote

    October 29, 2015 at 5:37 pm #

    'Password reuse is a huge problem. In fact, I would argue that it is a bigger problem than choosing dumb, obvious passwords.'

    Perhaps so but it is even worse when it is simple, easy to guess passwords being reused. I suspect that many people do this. It doesn't help that many people don't even know there is such a thing as complexity, when it comes to passwords, and that many don't realise the risks, but awareness is one of the biggest problems (if not the biggest) when it comes to security (and actually many other things).

    Edit: Just as a question: did you change the maximum character limit to be 3000, down from 5000? Not that it matters in the end, but I could have sworn it was 5k, not 3k.

    • Graham Cluley in reply to coyote.

      October 31, 2015 at 6:26 am #

      No, it's been 3000 characters since I introduced the character limit on comments. :)

Leave a Reply