O2 customer data is being sold by criminals on the dark net, the Victoria Derbyshire programme has learned.
The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts.
When the login details matched, the hackers could access O2 customer data in a process known as "credential stuffing".
O2 says it has reported the case to law enforcement, and is helping inquiries.
It is highly likely that this technique will have been used to log onto other companies' accounts too.