Virgin Media is one of the UKās largest ISPs. Freaky Clown is one of the UKās most respected and experienced ethical hackers.
One of these knows a lot about information security. The other is Virgin Media.
But wait, Iām getting ahead of myself. This tale of woe (and staggering ineptitude) begins when Freaky Clown forgot the login details for his Virgin Media account and requested a password reset. After speaking to a representative on the phone, heās told itāll be mailed to him in the coming days.
Ok a thread: I have never signed into my @virginmedia account but I did set one up years ago but forgot all the details. I request a password reset. The person on the phone gives me āone last chanceā to guess what email I used, I get it on the third try! #itgetsworse
ā freakyclown (@_Freakyclown_) August 17, 2019
And it did. But when Freaky Clown opened the envelope, he couldnāt believe his eyes. It was his previous password!
First, a little digression. Iāve got to tell you why this is so problematic from a security perspective. You see, people tend to re-use the same passwords across the Internet. They shouldnāt, but they do. Therefore, itās considered best practice for any service holding log-on details to store passwords in a way thatās technologically impossible to retrieve.
This is done through a process called hashing and salting, thereby turning a human-readable password like āhunter2ā into a string of seemingly-random characters that are unique to that particular site, like āf3bbbd66a63d4bf1747940578ec3d0103530e21d.ā
What this means is that should an attacker gain access to that siteās database, any passwords they obtain cannot be used to compromise accounts on other websites.
Now, back to Freaky Clown. Either Virgin Media had managed to generate a password that was character-for-character identical to his previous one, which would be an incredible coincidence, or, far more likely, it was storing passwords in an insecure format.
Freaky Clown, like most security professionals, is an avid user of Twitter, and quickly began roasting Virgin Media for its apparent security failings. Ā A company representative quickly clapped back, explaining that this process is perfectly fine from a security perspective, as itās illegal to open someone elseās mail.
Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS
ā Virgin Media (@virginmedia) August 17, 2019
Yes, because criminals donāt break laws, right?
By that logic, why should I lock my front door? After all, burglary is illegal.
And maybe, by extension, we should do away with the police, as breaking laws is illegal. Just imagine all the money weād save from the salaries of officers, detectives, judges, and prison guards.
At the time of writing, that tweet has been shared over 1,200 times, and received over 1,800 likes. And, to be fair, I donāt want to be too harsh on the Virgin Media representative. Communicating security is a difficult job, and itās one that shouldnāt be left in the hands of otherwise unqualified frontline social media professionals.
The biggest issue here isnāt the tweet. Itās that Virgin Media is seemingly using insecure practices to hold customer data. And, should it get hacked, it could create a contagion effect that will result in accounts on other services being compromised.
Thatās the problem.
For the love of God, Virgin Media, itās 2019. You should have learned from the example of other hacked services, like LinkedIn, MySpace, and Ashley Madison, all of whom made the same mistake youāre doing right now. You owe it to your customers.
Get the TNW newsletter
Get the most important tech news in your inbox each week.