Spark warns 21,000 customers that their details are for sale on the dark web

The dark web is a section of the internet where illegal goods are often trafficked. Photo / 123RF

Spark has sent around 21,000 customers a warning that their details are on a list of stolen logins for sale on the dark web - a section of the internet where illegal goods are often trafficked.

Spokeswoman Ellie Cross emphasises that there has not been a data breach at Spark.

Rather, it appears that some customers have used the same user name and logon for other services, which have been hacked.

Spark does not know the source, or sources, for the list of logins up for sale, but the telco notes there have been a number of major data breaches over the past couple of years. It names LinkedIn and Yahoo (the former provider for Spark's Xtra Mail). Sony and Ticketmaster are among others to have lost customer data en masse.

Cross says the 21,000 affected accounts represent "a small subset" of the 1.7 million total accounts at the telco.

She says the telco is taking a proactive step to make sure its customers don't have their Spark accounts compromised thanks to breaches at other services.

"While we know that it's unsettling to receive emails like this, we'd always prefer to take steps to protect our customers and advise them of the steps they need to take to look after their own online security," she says.

The telco emailed a number of customers on Tuesday after it noticed suspicious activity on their accounts.

The telco forced password reset on all of the affected accounts.

However, in some cases, it could have been after the horse had bolted.

The Tuesday email read, "Our systems have detected a suspicious sign-in to your MySpark account. The parties involved. May have been able to view information in your account such as your name, Spark phone number(s), billing history, calling information and data usage information."

Spark also advises people to check if their credentials are for sale on the net via haveibeenpwned.com.

The telco warns in its email that stolen credentials are not just used for gaining access to accounts.

"Unfortunately, fraudsters are always looking for opportunities to use information they can access illegitimately using your stolen credentials to send you fraudulent emails and requests for money. For example, they can create fake invoices that may look like a bill you would be expecting but with different bank payment details," it says.

Cross says while 21,000 customers had their names up for grabs on the dark web, suspicious activity was noted on fewer than 50 accounts.

"It looks like a hacker had been in [each] account, but no actions were taken that would cause the customer any financial loss," she says.

A refresh of the Privacy Act, currently making its way through Parliament, will make it compulsory for companies to report a data breach to affected customers.

Cross says, "If someone chooses to use log-in details that are easy to guess, that they use for multiple websites or are passwords they have used in the past, they leave themselves at risk. It's extremely important that these customers update their password to something they haven't used before – or on any other website. They should also change their password for any other websites where they have been using the same combination of email address and password."

Sign up to the NZ Herald Business page on Facebook for latest news, commentary, data and analysis​