
Virgin Media (UK) stores passwords in plain text, sends them through the mail - molenzwiebel
https://twitter.com/virginmedia/status/1162756227132198914
======
wutbrodo
I learned a long time ago that the default assumption for non-tech-first
companies should be deep, deep incompetence, below the level of an undergrad
with a decent CS degree, when it comes to basic security practice. Even having
your system be Incredibly Important isn't enough to force basic competence:
there were plenty of government and bank systems through the 2000s that were
apparently designed and maintained by high school kids (looking at you
Citibank).

By 2019, a lot of the industries running more critical systems like finance
have figured out that you should take your tech seriously (and it only took
them twenty years to figure it out...) ,but it's still a pretty good baseline
assumption.

~~~
benj111
"non-tech-first companies"

Is an ISP not tech first?

Bell labs is an off shoot of a phone company, early computing was based on the
efforts of phone companies. Phone companies, which ISPs are the modern variant
are the original tech companies.

Edit to add: Virgin maintains a fibre optic network so we aren't just talking
about a sales front end to someone else's network.

~~~
wutbrodo
Yea I know, I considered that someone would raise the fact that they're a
telco. It's difficult to articulate what I mean by tech-first, and I don't
want to lean on "I know it when I see it", but I'm describing a cluster in
thingspace that I think is clear to pretty much everyone here.

~~~
JeremyBanks
Is We a tech-first company?

~~~
wutbrodo
I don't know enough about We. Aren't they a real estate company?

~~~
mygo
In their S1 they claim they’re SAAS ( “space-as-a-service” )

 _eyeroll emoji_

------
LeoPanthera
Virgin Media is an ISP, for those who don't know.

Perhaps more shockingly, they have a _maximum_ password length of 10
characters, and the first character must be a letter.

[https://twitter.com/Joshwright10/status/1162811048359014400](https://twitter.com/Joshwright10/status/1162811048359014400)

~~~
jdietrich
Last time I checked, the default WPA passphrase for Virgin Media routers was
always set to eight capital letters, making it trivially crackable with a
reasonable amount of GPU compute.

~~~
stordoff
My current default Virgin WPA password is roughly of the form lLlllNllllll (l
- lowercase letter, L - uppercase letter, N - number), installed about a year
ago, and I know from seeing another one that the position and quantity of the
uppercase letters and numbers aren't fixed.

~~~
dane-pgp
For the benefit of people whose fonts render "l" to look like "|", that's:

L U L L L N L L L L L L

(L - lowercase letter, U - uppercase letter, N - number)

------
jayflux
I get everyone replying to virgins Twitter account in disgust, but let’s be
honest, the person on the other end of that most likely won’t be technical,
nor will there be much chance of them relaying it on. They will reply then go
home for the day.

This is where things like [https://securitytxt.org/](https://securitytxt.org/)
are important. Being able to go through to the team or person who knows what’s
going on. But then again, if a company stores plain text passwords they most
likely won’t have security.txt

~~~
megaremote
> I get everyone replying to virgins Twitter account in disgust, but let’s be
> honest, the person on the other end of that most likely won’t be technical,
> nor will there be much chance of them relaying it on. They will reply then
> go home for the day.

Then why are they responding to a technical issue? And you may say they will
not pass on information, but it is one channel we have of contacting, possible
the only one.

------
shakna
> Posting it to you is secure, as it's illegal to open someone else's mail.
> ^JGS (@virginmedia)

> There are a number of additional considerations you will need to take
> account of when designing your password system, such as the use of an
> appropriate hashing algorithm to store your passwords, protecting the means
> by which users enter their passwords, defending against common attacks and
> the use of two-factor authentication. [0]

Well, they're not admitting what they do is in any way unsafe, but it really
seems like a cut-and-dried GDPR violation.

They really haven't met even the spirit of:

> Processed in a manner that ensures appropriate security of the personal
> data, including protection against unauthorised or unlawful processing and
> against accidental loss, destruction or damage, using appropriate technical
> or organisational measures.

[0] [https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-
gdpr/security/passwords-in-online-services/)

~~~
nkrisc
Perhaps users can pay their bills by leaving a bag of cash in the park with
"Virgin Media" written on it, as it would be illegal for anyone else to take
it.

~~~
sipos
In my experience it doesn't make much difference whether you pay the bills or
not.

They sent me to a debt collector more than a year after I had closed my
account, for something I didn't owe them (it was a bill for services after I
had closed my account and been physically disconnected). When I tried to talk
to them about it, one of their call centre managers eventually admitted to me
that there was no public number that could get me through to a call centre
that had anyone able to sort it, or anyone they could transfer me to who could
sort it, so I might as well stop trying and sue them.

I got it sorted by tracking down one of the company executives home contact
information and calling him about it. I harrassed him considerably less than
the debt collectors harrassed me.

------
heffebaycay
From 2015: "Virgin Media stores user passwords in plaintext?"
[https://news.ycombinator.com/item?id=9492006](https://news.ycombinator.com/item?id=9492006)

~~~
flurdy
Except now post GDPR implementation it is now illegal to be that incompetent.

Not that I expect Virgin Media to change. They are a massive company with
probably a million legacy systems from their NTL, Cable&Wireless and 50 other
merges that they will never touch.

------
5h
This is the same bunch of clowns who MITM you even after disabling their porn-
filter, and the "fix" is to install their root cert.

------
rvz
Right now in 2019, companies in the UK who somehow now think that they are
'tech companies' have this attitude when it comes to security. I met one
company that recently got funding in the UK that deals with personal insurance
and asked them if they write tests and they responded that they don't have
tests, because they have no time to write any. In this case, that is like not
having a security audit because we don't want anyone knowing the secret sauce.

Unfortunately, The motto here is that 'If it ain't broke, don't fix it.' and
these systems don't get updated in a while until it is too late.

> Posting it to you is secure, as it's illegal to open someone else's mail.
> ^JGS

I can't trust Virgin to mail me anything sensitive then as the person who sent
these details could have just seen it and wrote it down beforehand. That is
too much of a risk to trust anyone and call that secure, even if it is illegal
to open someone else's mail.

Well I'll be expecting the GDPR officers to mail you clowns a huge fine then.

------
noodlesUK
How is it that ISPs are always such awful organisations? I understand that
their user base isn’t particularly technical, but there’s no excuse for this
sort of public stupidity.

~~~
otakucode
Because the vast majority of them did not start as ISPs. They started as media
distribution companies and built an empire based on the value of doing media
distribution. Then the Internet came along and made distribution worthless,
and the ISP gig was taken up with infinite reluctance.

------
thraxil
When you have a problem and call support, they do the "please enter the 4th
digit of your account password" thing to verify you (further evidence that
they store it in plaintext). This is particularly fun since my password is
only in a password manager, which, if my service is offline, I can't access.
So whenever my internet goes out, calling VM support to get them to fix it
involves an extra 15 minutes of me arguing with them.

~~~
Nextgrid
I’d say that a password manager with no offline caching capability is _also_ a
problem, but yeah, Virgin Media (and Virgin Mobile) are complete monkeys. I’ve
ended up leaving them for a commercial-grade connection costing almost 10x
more just so I don’t have to deal with this bullshit anymore.

~~~
noir_lord
Also in UK, my local ISP is an offshoot of the local Telco (the only one that
didn't merge with BT back when), they are on the pricey end of normal but the
service is fabulous and I've had maybe an hour's disruption in 4 years on
their fiber.

Their engineers are good as well when I've had to deal with them
professionally for work.

It's so hit and miss with other companies I've dealt with though.

------
LIV2
I’m a bit rusty and could be wrong but doesn’t MSCHAPv2/CHAP require knowledge
of the plaintext password on the server side? I think that makes it required
to be stored plaintext for any PPP connection and thus most if not all ISPs
would be storing plaintext passwords

------
amiga-workbench
UCAS used to do a similar thing. I really hope they have fixed this since.
[https://i.imgur.com/H2gADSX.png](https://i.imgur.com/H2gADSX.png)

~~~
LeoPanthera
The difference here is that OP is referring to _postal_ mail, not email.

------
mlmartin
Virgin media have a 'memorable word' that you quote to the phone agents as a
proof that it's you talking to them. It's not the password to the online
account and it's only one of a few bits of info you get asked to prove you are
the account holder.

I think this is what is being talked about. Not the actual account 'password'.

~~~
reificator
I wouldn't be so sure:

[https://plaintextoffenders.com/post/4983474119/virginmobilec...](https://plaintextoffenders.com/post/4983474119/virginmobilecouk-
virgin-mobile)

------
tastroder
Don't think this was posted yet, they doubled down on this:

[https://mobile.twitter.com/VirginMediaIE/status/116344119354...](https://mobile.twitter.com/VirginMediaIE/status/1163441193541414912)

------
alex_duf
Unfortunately Plusnet does the same

------
thecleaner
Does anyone else think the Virgin group companies are really bad and are
simply baded on good marketing ? My read on Branson himself is that he's DT
with actual billions.

~~~
jasoncartwright
Virgin Media has been owned by Liberty Global since 2013

~~~
Angostura
And Branson only owned 3% before that

