TalkTalk website hit by cyber-attack

MacMickster

On a message posted on its website, TalkTalk states: "We are continuing to work with leading cybercrime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.

"We would like to reassure you that we take any threat to the security of our customers' data very seriously. We constantly review and update our systems to make sure they are as secure as possible and we’re taking all the necessary steps to understand this incident and to protect as best we can against similar attacks in future. Unfortunately cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent."

And yet customer data is held unencrypted. Ludicrous!

alleycat`

Not a talktalk customer but If they are anything like Sky I'd bet the details of previous customers are still available and were also taken.

My old Sky login still works, it just says i have no associated services.

It still shows all my details in the way it did when i was a true paying customer.

I also wonder if talk talk have actively excluded all their old "but details still exist" customers from the total volume to try make it look better.

Not sure how you make 4 million look "better" but PR people do like to spin.

If they "lost" that data as well are they intending to let those people know also?
I'd suspect not....

Oblivion

I think in the light of this fiasco, the government should compel all ISPs to declare whether personal data is held in encrypted form and if not, to make sure it is immediately.

GingerBob_3

TalkTalk:


"We would like to reassure you that we take any threat to the security of our customers' data very seriously...."


Have you noticed how whenever someone, or some organisation, tells you they take something "very seriously" it means the exact opposite: they don't take it seriously, otherwise they wouldn't be having to lie to you that they do!


Always be very wary of the "take something very seriously" remark.

Oblivion

I had to laugh when Dildo Harding made this comment ... "I'm a customer myself of TalkTalk, I've been a victim of this attack." And she's the Chief Executive. Oh well that makes it all right then.


Keep digging that hole lady!

luke.harris

Many reports in press about this and was thinking about switching next week. TT said 'offering a year's free credit monitoring' so do they want more access to your bank account as well!

onomatopoeia99

Oblivion wrote: »

I think in the light of this fiasco, the government should compel all ISPs to declare whether personal data is held in encrypted form and if not, to make sure it is immediately.

Encrypted data can, in the main, be decrypted. One way encryption is possible, and passwords are routinely stored this way (you only have to check that the encrypted password stored in the database matches the encrypted version of the password just entered), but that is hopeless for things that the user might wish to see and edit, e.g. address details, or things that need to be used after being stored, e.g. card details.

If the site has been compromised to the extent that data has been stolen, then it's fair to assume that the decryption keys used on the site to read any encrypted data have also been stolen. Having the data encrypted would add nothing in the circumstance.

stojio

purpleposting4 wrote: »

Oh great.
We just literally switched to TT and our services went live with them yesterday! Well that's just my luck at the moment!
Can't remember giving my date of birth at any time during sign up though?
Fingers crossed, no notification from TT yet either, but will be checking my bank from now on, and changing passwords - when I can actually get on the site!!!

i've just switched as well, services go live soon. Bah.

alleycat`

I imagine even if TalkTalk now decide they want or "need" to actually hash the passwords and other data they probably can't just go ahead and do that.

If they did it would break pop/imap services, their "customer portal", Radius, ftp services and various other aspects that rely on the password and other data to be stored as it currently is.

Recompiling/testing/development on those systems would be time consuming and not a quick fix.

Hashed passwords are still pretty easy to guess using things like rainbow tables. People tend to use predictable / repeating / cack passwords which means normal hashing methods can be pretty "weak".

Adding a "Salt" would help in slowing down that sort of attack but it's all a bit late now.

On the positive side:-

I bet it's got plenty of other ISP's (and their ilk) frantically running around working out if they are as vulnerable right now.
It might, for values of might, end up saving someone else.

normsland

Does anyone know of a way I can migrate from Talktalk full LLU and keep my existing phone number? Is that simple?