A crime gang that hacked the accounts of Next Directory customers simply by culling login names and passwords leaked from other websites have been jailed.
The gang exploited people’s tendency to use the same password on multiple websites in order to break-in to their Next Directory accounts. The practice means that many people have the same combination of user name (their email address) and password across multiple different accounts, including ecommerce websites.
The fraudsters both exploited the credentials themselves and also sold the compromised accounts over websites such as Facebook, via groups called “Super Fun Happy Land” and “Exclusive Deals”. At one point, they had available credit on 280 accounts worth as much as £975,000, although only goods to the value of £64,000 were obtained.
Two women and three men pleaded guilty to conspiring to defraud Next Plc, between October 2015 and April 2016. A sixth individual admitted using the compromised accounts to steal goods to the value of £11,000.
In order to get round having to change address details, the fraudsters and their accomplices arranged to pick-up goods ordered via compromised accounts in-store.
