Hi everyone, thanks for checking in. I’m Ben, Head of Security here at giffgaff. This week we’ve become aware of a security issue affecting a handful of giffgaff members (less than thirty), and as well as working with them to resolve it I wanted to make sure we provided some information so people can avoid it happening to them. Don’t worry - this is not a vulnerability with any giffgaff system, and while we are taking a number of mitigating steps to minimise risk to members, it’s also a good opportunity to give some advice on not just how best to avoid this issue, but how to be better protected online in general as well.
We’ve discovered some evidence of a few members’ accounts being fraudulently accessed and used either to fraudulently top up other giffgaff accounts or to take control of the SIM card, which can then give them access to other accounts you hold. In this case, the fraudsters have been gaining access to giffgaff accounts by using a technique called “credential stuffing” where they search for passwords which have been used on websites of companies that have suffered data breaches in the past, and then attempting to try them on giffgaff.com. From there, the fraudster can then use a saved card to make purchases on other giffgaff accounts.
We’re advising those members who have reached out to us about this to make sure that they change their passwords on their giffgaff account and any other account that shares that password immediately. We’re also asking them to contact their bank to report any fraud that has taken place.
Our technology team have also recently put additional measures in place to ensure that this method of fraud is substantially more difficult to execute, which were added to our system this week. This may mean that you see the feature that allows you to top up another giffgaff number is disabled in some contexts.
The most effective way to protect yourself from this is to use a different, strong password for every website you log into. To help manage these passwords and avoid password reuse, we recommend the use of a password manager, such as iCloud Keychain (built into every iPhone), LastPass, 1Password, or KeePass. This means that even if a service that you use has a data breach in future, that password is not shared across other accounts, and so your exposure is minimal.
You can check whether your email address has ever been included in a public data breach with HaveIBeenPwned, which maintains an actively-updated database of all breaches, so you can make sure you can secure any accounts that may be at risk. This site also provides an alert service should your email turn up in any future breaches.
Finally, we will only ever ask you for your giffgaff username and password on giffgaff.com, and nowhere else. If you’re asked to log in, check that you’re on a page that’s served by giffgaff.com in your address bar - if not, don’t enter anything, and let us know about the page by contacting our agent team.
Wow Ben serious indeed! The crafty beggars will do anything these days to try and rip us off, I'm glad giffgaff are aware of this and I hope the, less than 30, affected members have taken action and that number doesn't rise, and I hope members follow your sound advice. 😮
Thanks for notifying us and explanation. There has been a couple on Twitter who have raised this.
Some are upset about the communication between the agents and themselves and I can understand why they are worried. My advice is for the agents to give regular updates about the situation. Situations like this on Twitter where people voice their anger about a situation isn’t good. This isn’t a simple ‘typical’ giffgaff issue. People’s personal details is at stake.
captainben wrote: <snip> Finally, we will only ever ask you for your giffgaff username and password on giffgaff.com, and nowhere else.
@captainben Thanks for the update. You missed out mobile number in lieu of username.
The flaw is that gg mobile numbers are public knowledge and routinely given out and to companies that may get hacked. Hackers do not need to know your gg username if they have your mobile number and a possible password, they are almost in. This is a security flaw of some magnitude.
Mobile numbers ought not be used at login.
Where a wrong pw is entered twice in a row then surely you should be securing that account for a number of hours, to prevent access.
Can you confirm these options are on the way?