Around 2,200 British Gas customers have had their email addresses and passwords to the utility company posted online on the document-sharing site Pastebin. British Gas has contacted the affected customers and assured them that its security system had not been breached and that none of their payment data had been put at risk.
The logins, which have since been removed from the site, gave users access to around 2,200 British Gas customers' names, addresses and past energy bills. The company, owned by Centrica has disabled the affected accounts following the discovery. It has also asked its affected customers to contact the company or to securely reset their passwords through British Gas's website.
The company however insisted that the information that was posted online did not come from British Gas. In an email sent out to affected customers, the utility giant said: "I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk.
"As you'd expect, we encrypt and store this information securely. From our investigations, we are confident that the information which appeared online did not come from British Gas," it added.
The BBC said that the utility company wrote to the affected account holders before checking if all the published passwords actually gave access to British Gas accounts. The actual number of accounts put at risk could be lower, it noted.
It is not clear how the information was accessed if there was indeed no security breach at British Gas' end. One possibility raised is that the customers could have been targeted by a phishing company and tricked into revealing their details.
Another way the information could have been obtained was through another data breach elsewhere and then the perpetrators checked to see if the customers used the same login details to access their British Gas accounts, BBC notes.
On 27 October, Marks and Spencer's website allowed customers to see each other's personal details and last week, an attack on TalkTalk's website resulted in details of its customers' bank details and personal information being put at risk.