Virgin Media is one of the UK’s largest ISPs. Freaky Clown is one of the UK’s most respected and experienced ethical hackers.
One of these knows a lot about information security. The other is Virgin Media.
But wait, I’m getting ahead of myself. This tale of woe (and staggering ineptitude) begins when Freaky Clown forgot the login details for his Virgin Media account and requested a password reset. After speaking to a representative on the phone, he’s told it’ll be mailed to him in the coming days.
Ok a thread: I have never signed into my @virginmedia account but I did set one up years ago but forgot all the details. I request a password reset. The person on the phone gives me “one last chance” to guess what email I used, I get it on the third try! #itgetsworse
— freakyclown (@_Freakyclown_) August 17, 2019
And it did. But when Freaky Clown opened the envelope, he couldn’t believe his eyes. It was his previous password!
First, a little digression. I’ve got to tell you why this is so problematic from a security perspective. You see, people tend to re-use the same passwords across the Internet. They shouldn’t, but they do. Therefore, it’s considered best practice for any service holding log-on details to store passwords in a way that’s technologically impossible to retrieve.
This is done through a process called hashing and salting, thereby turning a human-readable password like “hunter2” into a string of seemingly-random characters that are unique to that particular site, like “f3bbbd66a63d4bf1747940578ec3d0103530e21d.”
What this means is that should an attacker gain access to that site’s database, any passwords they obtain cannot be used to compromise accounts on other websites.
Now, back to Freaky Clown. Either Virgin Media had managed to generate a password that was character-for-character identical to his previous one, which would be an incredible coincidence, or, far more likely, it was storing passwords in an insecure format.
Freaky Clown, like most security professionals, is an avid user of Twitter, and quickly began roasting Virgin Media for its apparent security failings. A company representative quickly clapped back, explaining that this process is perfectly fine from a security perspective, as it’s illegal to open someone else’s mail.
Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS
— Virgin Media (@virginmedia) August 17, 2019
Yes, because criminals don’t break laws, right?
By that logic, why should I lock my front door? After all, burglary is illegal.
And maybe, by extension, we should do away with the police, as breaking laws is illegal. Just imagine all the money we’d save from the salaries of officers, detectives, judges, and prison guards.
At the time of writing, that tweet has been shared over 1,200 times, and received over 1,800 likes. And, to be fair, I don’t want to be too harsh on the Virgin Media representative. Communicating security is a difficult job, and it’s one that shouldn’t be left in the hands of otherwise unqualified frontline social media professionals.
The biggest issue here isn’t the tweet. It’s that Virgin Media is seemingly using insecure practices to hold customer data. And, should it get hacked, it could create a contagion effect that will result in accounts on other services being compromised.
That’s the problem.
For the love of God, Virgin Media, it’s 2019. You should have learned from the example of other hacked services, like LinkedIn, MySpace, and Ashley Madison, all of whom made the same mistake you’re doing right now. You owe it to your customers.