The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts, the BBC’s Victoria Derbyshire programme has learned.
When the log-in details matched, the hackers could access O2 customer data in a process known as “credential stuffing”.
O2 says it has reported the case to police, and is helping the inquiry.
It is highly likely this technique will have been used to log onto other companies’ accounts, too.
Flood works outside Penwortham Methodist Church “causing absolute chaos”
‘Wicked and cruel’ man attacked woman with axe before tying her up and raping her in Accrington
Finney House Care Home: Preston care home still requires improvement after risk of harm from paracetamol overdose
Lancashire County Council responds to angry Buckshaw parents over school bus concerns
'No-kill' animal shelter forced to explain why they put two healthy dogs to sleep at Blackpool site
All the O2 account holders whose details the BBC has seen have been informed, with many saying they had used the same login for other online accounts.
O2 said in a statement: “We have not suffered a data breach. Credential stuffing is a challenge for businesses and can result in many company’s customer data being sold on the dark net.
“We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”