The accounts are believed to have been accessed using usernames and passwords stolen from XSplit, a gaming website, three years ago.
After finding matching login details, fraudsters would have been able to access the customer data and sell it on.
The BBC reported that O2 is assisting a police inquiry, and that the process is “highly likely” to have also been used to access other companies’ accounts.
The stolen data is composed of phone numbers, emails, passwords and dates of birth, and was shown to the BBC by an ethical hacker who discovered it in a dark net market.
O2 said in a statement published by the BBC: “We have not suffered a data breach. Credential stuffing is a challenge for businesses and can result in many company’s customer data being sold on the dark net.
“We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”
BBC journalists bought a small sample of the data in order to further investigate the ethical hacker’s claims. They have since contacted every O2 account holder whose data they saw. Many said the login details had been used for other accounts too.
The Open Web Application Security Project describes data stuffing as “the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts”.
The dark net is accessible via specialist web browsers and is often used by criminals.