Next Directory accounts cracked in £1m scam because customers re-used passwords

Gang that cracked and sold Next Directory customer credentials jailed

A crime gang that hacked the accounts of Next Directory customers simply by culling login names and passwords leaked from other websites have been jailed.

The gang exploited people's tendency to use the same password on multiple websites in order to break-in to their Next Directory accounts. The practice means that many people have the same combination of user name (their email address) and password across multiple different accounts, including ecommerce websites.

The fraudsters both exploited the credentials themselves and also sold the compromised accounts over websites such as Facebook, via groups called "Super Fun Happy Land" and "Exclusive Deals". At one point, they had available credit on 280 accounts worth as much as £975,000, although only goods to the value of £64,000 were obtained.

Two women and three men pleaded guilty to conspiring to defraud Next Plc, between October 2015 and April 2016. A sixth individual admitted using the compromised accounts to steal goods to the value of £11,000.

In order to get round having to change address details, the fraudsters and their accomplices arranged to pick-up goods ordered via compromised accounts in-store. That would also have helped the company and police to track them down via in-store CCTV camera images.

The fraudsters may have been helped by Next's internal procedures that, up until a couple of years ago, meant that account holders could obtain credit even if they gave incorrect personal details, such as a wrong date of birth*.

According to the Leicester Mercury newspaper, which covered the case, the account details were sold for between £25 and £80, depending upon the available credit on the account.

Prosecutor Matthew Lowe claimed the ringleader of the gang was Glasgow, Scotland-based Edward Mullen, who recruited mother-of-five Toni Louise Willis of Chelmsford, Essex to sell the information via PayPal or bank transfer.

Willis, in turn, recruited Dumfries and Galloway-based mother-of-two Leisha Johnstone, to help sell the information. Other defendants included Matthew Corry of Londonderry, Northern Ireland, who operated one of the Facebook groups, Craig Ashley of Derbyshire and Rachel Wall of Great Yarmouth.

Wall was given a suspended sentence for obtaining £11,000 of goods by Judge Nicholas Dean QC, while the others were given sentences of between eight months and 18 months each. The defendents will face a proceeds of crime confiscation hearing in May.

Detective chief inspector Ed McBride-Wilding from the Cyber Crime Unit of East Midlands Police Special Operations Unit reiterated that the accounts were only compromised because users used the same password for multiple websites.

"The targets were customers who used the same login and password for other online accounts where their details had been stolen during data breaches involving other companies," said McBride-Wilding. "This case emphasises the need to use different passwords for every business and home account or application."

* information obtained from personal experience