O2 customer data is being sold on the 'dark web' after it was leaked through the gaming website XSplit in 2013, according to a BBC report.
An ‘ethical hacker’ reportedly contacted the Victoria Derbyshire programme to make them aware of the breach.
Log-in details from the XSplit were matched with O2 accounts in a practice called ‘credential stuffing’, where the same details are used to try and log in to multiple websites.
Among the details for sale were phone numbers, email addresses and passwords of customers, though O2's own security was not breached as part of the process.
The so-called dark web is a subsection of the internet that can only be accessed via specialised software and is used for a large number of illegal activities, including the sale of stolen data and drugs.
O2 said in a statement that it was aware of the situation and had notified police.
"We have not suffered a data breach," it said. "Credential stuffing is a challenge for businesses and can result in many companies' customer data being sold on the dark net.
"We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.
"We act immediately if we are given evidence of personal credentials being taken from the Internet and used to try and compromise a customer's account. We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves.”
Computer security experts say the incident is further proof that username and password systems alone are not enough to protect consumers, particularly those who use the same details across multiple sites.
James Romer, chief security architect Europe for cyber security firm SecureAuth said: "The O2 data leak must be a stark wake-up call for businesses who continue to rely on traditional username and password authentication alone. We all know that using the same password-username credentials across multiple sites is a bad idea, yet it still happens far too often.
"Bad actors are taking advantage of this laissez-faire attitude, trying stolen credentials not just on one site but a number - even employing botnets which automate the process.
"Organisations must move away from the current reliance on a single point of authentication to multi-factor or, even better, continuous authentication."
The Internet Service Provider TalkTalk was hit by a cyber-attack last year where customer details were stolen that was estimated to have cost the company at least £35m.