O2 customer data has been found for sale on the dark web, but the firm has denied being the victim of a breach.
The BBC learned about the data haul, which includes O2 users' personal information such as name, phone number, date of birth, email address and password, after an ethical hacker found it listed on the dark net market.
O2 has denied that it has been hacked and the BBC report backs this up, saying that the information was "almost certainly" obtained by exploiting usernames and passwords first stolen from gaming website XSplit three years ago.
By successfully matching log-in details, the cyber criminals were able to access O2 customer data. This process is called 'credential stuffing'.
"Credential stuffing is a challenge for businesses. We act immediately if we are given evidence of personal credentials being taken from the internet and used to try and compromise a customer's account," an O2 spokesperson said.
"We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves."
O2 customer Hasnain Shaw, whose account details were among those on sale, explained that his data had already been used by hackers to access more accounts.
"I was away from home when eBay contacted me to say there was some suspicious activity on my account. I checked and it looked like there were cars for sale on my account," Shaw told the BBC.
O2 has said that it has notified customers affected by the leak, and that it is helping law enforcement with an investigation.
James Romer, chief security architect at SecureAuth, warned that this latest leak should be a "stark wake up call for businesses".
"We all know that using the same password/username credentials across multiple sites is bad idea, yet it still happens far too often," he said.
"Users have difficulty remembering different passwords for the multitude of needs of our online lives, so they default to using the same password over and over and it’s generally something simple.
"Organisations must move away from the current reliance on a single point of authentication to multifactor, or even better, continuous authentication. Not only does this render stolen credentials completely worthless across the breached site, it means they cannot be used to compromise users more broadly."
Infected apps have been downloaded more than 50 million times
Customers of regular price-raising ISP and cable operator claim nationwide outages started on Monday
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...