Hi everyone, thanks for checking in. I’m Ben, Head of Security here at giffgaff. This week we’ve become aware of a security issue affecting a handful of giffgaff members (less than thirty), and as well as working with them to resolve it I wanted to make sure we provided some information so people can avoid it happening to them. Don’t worry - this is not a vulnerability with any giffgaff system, and while we are taking a number of mitigating steps to minimise risk to members, it’s also a good opportunity to give some advice on not just how best to avoid this issue, but how to be better protected online in general as well.
We’ve discovered some evidence of a few members’ accounts being fraudulently accessed and used either to fraudulently top up other giffgaff accounts or to take control of the SIM card, which can then give them access to other accounts you hold. In this case, the fraudsters have been gaining access to giffgaff accounts by using a technique called “credential stuffing” where they search for passwords which have been used on websites of companies that have suffered data breaches in the past, and then attempting to try them on giffgaff.com. From there, the fraudster can then use a saved card to make purchases on other giffgaff accounts.
We’re advising those members who have reached out to us about this to make sure that they change their passwords on their giffgaff account and any other account that shares that password immediately. We’re also asking them to contact their bank to report any fraud that has taken place.
Our technology team have also recently put additional measures in place to ensure that this method of fraud is substantially more difficult to execute, which were added to our system this week. This may mean that you see the feature that allows you to top up another giffgaff number is disabled in some contexts.
The most effective way to protect yourself from this is to use a different, strong password for every website you log into. To help manage these passwords and avoid password reuse, we recommend the use of a password manager, such as iCloud Keychain (built into every iPhone), LastPass, 1Password, or KeePass. This means that even if a service that you use has a data breach in future, that password is not shared across other accounts, and so your exposure is minimal.
You can check whether your email address has ever been included in a public data breach with HaveIBeenPwned, which maintains an actively-updated database of all breaches, so you can make sure you can secure any accounts that may be at risk. This site also provides an alert service should your email turn up in any future breaches.
Finally, we will only ever ask you for your giffgaff username and password on giffgaff.com, and nowhere else. If you’re asked to log in, check that you’re on a page that’s served by giffgaff.com in your address bar - if not, don’t enter anything, and let us know about the page by contacting our agent team.