Nearly 2,000 Vodafone customers have been left "open to fraud" following 'unauthorised access' to user accounts, the firm has revealed.
A total of 1,827 customers have had their names, phone numbers and partial bank details exposed on an "unknown source external to Vodafone". The firm maintained that its core systems were not breached.
The incident shows the clear risks of using the same password on multiple websites as criminals are able to exploit this data to access other sensitive accounts.
It is possible that the personal records originated from the dark web and were used to provide unauthorised access to user accounts, but this is yet to be verified.
Vodafone said that no full credit or debit card details were obtained and that the partial data cannot be used to access bank accounts. However, the attack, which occurred between midnight on 28 October and midday on 29 October, has affected customers who are now at risk of fraud and phishing attempts.
The accounts have all been blocked, and Vodafone is contacting customers directly and advising them to change their log-ins and passwords.
Vodafone said that the affected customers' banks have been alerted to the incident and that compromised details have been loaded into the Credit Industry Fraud Avoidance Service database to reduce the chances of further fraud.
The company has also informed the National Crime Agency (NCA), Ofcom and the Information Commissioner's Office, and started an internal investigation.
"We would like to make clear that only the 1,827 customers, who have all been contacted, have been affected by this incident. No other customers have been affected or need to be concerned, as the security of our customers' data continues to one of our highest priorities," the firm said.
The NCA told V3 that it "could neither confirm nor deny" any ongoing investigation, while an Ofcom spokesperson said: "We are in close contact with Vodafone to understand what happened."
Ryan Wilk, director at NuData Security, explained the dangers of password reuse and how cyber criminals use the dark web to access sensitive data.
"Data thieves sell this information to aggregators, who cross-reference and compile full identities, called 'fullz', on the data black market. This increases the value and usefulness of the stolen data and is building countless identities for the fraudsters," he said.
"With the amount of data on the black market, there is no end to the potential damage the fraudsters can do using the stolen data.
"While phone and wireless companies have recently been in the headlines, this trend is industry agnostic. Any company in any vertical where sensitive data is stored will be a target of hackers and criminals. While the loss of this data is an issue in and of itself, the secondary use of the stolen data should be a concern to every business."
Brian Spector, chief executive of cryptography firm Certivox, added that strong passwords are vital for robust online protection.
"The advice that has for many years been repeatedly given to online services customers is to use complex passwords, which is useful, of course," he said.
"Perhaps more importantly people should avoid using the same password for multiple sites. The human aspect of memorising all these different passwords is not to be underestimated: it's simply too hard."
The news follows a "significant and sustained" cyber attack on mobile and internet provider TalkTalk which was initially estimated to have put up to four million customers at risk.
The breach, which has resulted in three arrests spanning England and Northern Ireland, exposed a significant number of names, addresses, phone numbers and partial bank details.
Most recently, Marks & Spencer was forced to suspend activity on its website last week following reports that sensitive customer data was being revealed to other users when logged-in to personal shopping accounts.
It was recently revealed that sensitive UK details, including identities and banking records, are being sold on the dark web for as little as £12.
Infected apps have been downloaded more than 50 million times
Customers of regular price-raising ISP and cable operator claim nationwide outages started on Monday
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...