Update – August 18, 2019: The article has been updated with a statement from Virgin Media saying that the password sent to customers by post is not the the main password, it’s a “memorable word” which is used for verification during phone support. Virgin Media’s statement is at the bottom of this article.
In a recent tweet, UK internet service provider Virgin Media suggested that it stores customer passwords in plain text and admitted to sending passwords to customers by post. Not only is this potentially in violation of the General Data Protection Regulations (GDPR) but it’s also a huge security risk that could theoretically allow staff members or bad actors to access customer accounts without their permission.
Virgin Media made the admission when responding to a customer on Twitter. The customer said that they had forgotten their account details, gone through the password reset process, and then received their old Virgin Media password by post.
I finally get the password reset request actioned, phone representative tells me password will be posted to me.. ok weird but I accept. Today the post arrives and I shit you not it’s my old password!!!! (I remembered it on sight) So they store the password and just posted me it!!
— freakyclown (@_Freakyclown_) August 17, 2019
The customer was not happy about Virgin Media’s lackluster password security practices and reiterated their concerns. Virgin Media then replied to the customer, claiming that “Posting it to you is secure, as it’s illegal to open someone else’s mail.”
Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS
— Virgin Media (@virginmedia) August 17, 2019
While it may be illegal to open other people’s mail, many Twitter users were quick to point out that this is unlikely to stop bad actors from opening the letters with passwords that Virgin Media sends out.
— Rain (@rainingcoyotes) August 17, 2019
And that’s not the only concern. By confirming that it sends passwords to customers by post, Virgin Media appears to be also admitting that it doesn’t hash customer passwords and stores these passwords in a way that allows them to be accessed by either its staff members or an automated system that prints them out.
Typically, organizations that host online customer accounts hash their passwords to increase security. Hashing is a form of encryption that converts passwords into an unreadable string of text that’s almost impossible to convert back. It allows websites and online services to verify the validity of a password without having to store it – meaning that no one can see the customer's password.
Failing to hash passwords and sending passwords to customers by post could create a trove of security problems for Virgin Media customers.
First, staff inside Virgin Media could, in theory, access customer accounts, either by accessing the passwords directly or opening the letters with the printed passwords.
Second, malicious actors outside of Virgin Media could intercept these letters or abuse the system to get access to customer passwords. For example, anyone who opens the letters and also knows a person’s Virgin Media email address will be able to access the account. Many Virgin Media customers are likely to use this email address for communication and share it with multiple contacts which increases the risk of the password being compromised in this way.
A bad actor that has a Virgin Media customer’s email address and knows their physical address could also trigger the password reset process, intercept the letter, and get access to the account that way.
Finally, recent statistics shows that 51% of people reuse their passwords across multiple online accounts. Most people use the same email for all their online accounts so if a bad actor gets access to a Virgin Media customer’s account, there’s a high probability that they’ll also be able to maliciously access their other online accounts with the same credentials.
Beyond the security problems, there’s also the question of whether this practice violates the GDPR. The Information Commissioner’s Office (ICO), a UK regulator that is responsible for enforcing GDPR, says in its “passwords in online services” guide for organizations that: “Any password system you deploy must protect against theft of stored passwords.” The guide adds:
“There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.”
Not hashing passwords and mailing them to customers in the post appears to go against most of the recommendations laid out by the ICO.
This admission from Virgin Media is eerily similar to a 2018 incident which impacted customers of the mobile network operator T-Mobile in Austria. In April 2018, Austrian T-Mobile customer service representatives admitted that the company stores customer passwords in plain text. When customers raised concerns that this left the company wide open to data breaches that expose customer passwords, the customer service representatives responded with comments such as: “What if this doesn’t happen because our security is amazingly good?” Just over four months later, T-Mobile Austria was hacked.
There have also been a series of password security blunders by major online services providers in 2019. A few days ago, cryptocurrency exchange Coinbase admitted that it accidentally stored thousands of passwords in clear text in its internal web server logs. And earlier this year, Facebook admitted that it mistakenly stored millions of Facebook and Instagram passwords in a readable format within its internal data storage systems.
Update – August 18, 2019: A Virgin Media spokesperson said: “We have strong security measures in place to protect our customer accounts. Asking for a ‘memorable word’ when customers phone us, which is separate to any online account password, is one of multiple ways we verify account details.”