British Gas has emailed approximately 2,200 customers urging them to change their passwords after their login credentials were posted online. According to The Guardian, the account details were posted to the online text-sharing service Pastebin and, if accessed, could have allowed an attacker to view the names, addresses, and previous energy bills of the affected British Gas customers. No customer payment card details are believed to have been compromised as of this writing. After discovering the leak, the energy company emailed all 2,200 customers and reassured them that their servers had not been breached:
"I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk," the email reads, as reported by the BBC. "As you'd expect, we encrypt and store this information securely. From our investigations, we are confident that the information which appeared online did not come from British Gas."
If the company's servers are indeed secure, the account details might have been obtained from another data breach and then subsequently tested by attackers to see if the same login credentials had been used for British Gas accounts. Alternatively, the customers exposed by the leak might have been fooled by phishers into relinquishing their login credentials via the use of social engineering techniques.
The energy company has since revealed that it did not test the affected account details prior to contacting the affecting customers. This could mean that fewer than 2,200 accounts of its total 14.7 million customer base were actually affected by the breach. British Gas is the third UK company to have been affected by a security incident in a week. On Tuesday, multinational retailer Marks & Spencer suspended its website for two hours after customers were able to see others' account details after logging in to their own profiles. This follows last week's revelation that a breach against the UK telecommunications company TalkTalk might have exposed the personal information of as many as four million customers.
