Email addresses and passwords leaked to Pastebin did not come from within the company, firm says

British Gas has emailed more than 2,000 of its customers to warn them that their email addresses and passwords to their British Gas accounts were posted online.

In the email, the company told customers that its systems were secure, and that the data had not come from British Gas. It did not explain where the information did come from.

In reply to a customer’s query about the incident British Gas Help posted on Twitter: “A small number of customer details briefly appeared online but our systems are secure.”

According to the BBC, the email read: “I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk. As you’d expect, we encrypt and store this information securely.

“From our investigations, we are confident that the information which appeared online did not come from British Gas.”

The account details were posted to online text-sharing service Pastebin. If they did not come from British Gas directly, they may have been pieced together from other data breaches, by testing for passwords which were re-used across multiple accounts, or they may have been uncovered as a result of a phishing campaign targeting British Gas customers.

Details will be sent to the Information Commissioner’s Office following the leak, British Gas said.