Virgin Media O2 Uncovers UK People’s Passwords in Just 3 Minutes
Broadband and mobile operator Virgin Media and O2 (VMO2) have taken a break from telecoms service provision in order to highlight the ease to which cyber criminals can break into your online accounts. In order to do this they enlisted the help of an ethical hacker to conduct a security assessment on a group of volunteers. Needless to say, account passwords were broken within 3 minutes.
The volunteers only needed to provide Brandyn Murtagh, who is normally a full-time bug bounty-hunter and ethical “White Hat” hacker, with their email address. After that he was able to find their passwords by hunting out publicly available information from past online data breaches – including those being used today and other personal data (including their address, phone number and even places they’ve recently visited).
According to VMO2, 55% of Brits say they’re worried about being hacked, while 78% admit to using the same or near identical passwords on multiple online accounts – including for their email (35%), social media accounts (31%) and for online banking (15%).
Advertisement
However, despite the fact that more than a third of people are aware that their information has been revealed in an online data breach (22% have even experienced their accounts being hacked), a quarter of password recyclers confess that they’d still open a new account today by using repeat passwords.
Ethical Hacker, Brandyn Murtagh, said:
“It can take just three minutes for a hacker to find a password and put people’s accounts at risk, which is why I’ve teamed up with Virgin Media O2 to help get Brits password secure this summer. Having your account accessed isn’t just an inconvenience; it can be the start of a chain leading to someone racking up thousands of pounds of debt in your name. But the good news is that by following my tips, in just a few simple steps you can make big changes to your online security which make it much harder for someone to hack you.”
1. Never reuse the same password – even with a very slight variation
2. Always use at least 14 characters and phrases
3. Implement two factor authentication or a passkey, wherever possible
4. Use a secure password manager
5. Too many sites with the same password? Start with the big ones (including financial, email, mobile operator and work accounts) then work your way from there.
6. Be careful what you put publicly online and avoid using personal details
7. Avoid using public Wi-Fi, particularly when it comes to secure transactions
We’d also add that, unless it’s absolutely necessary, you should try to avoid accepting those prompts that ask if the website can retain your financial details (payment cards etc.) for future use / purchases. Admittedly, this is an inconvenience for when you come to make a future purchase, albeit perhaps not as much of a problem as having those details stolen in a data breach.
In terms of how to make a strong password that you can actually remember, then this wonderful XKCD Cartoon always comes to mind, although we’d still add a number and special character into the example structure.
Finally, VMO2 noted how their “Advanced Security” (anti-virus) service had, over the past year, blocked 115 million unsafe and harmful websites, protected against 529k malware and spyware viruses and secured 4m banking and shopping sessions. VMO2 has also blocked more than 500 million fraudulent scam texts this year alone from ever reaching customers and flags 50 million suspicious scam and spam calls every single month.
Advertisement
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Gov Launches £9.5m Fund to Help More UK People Get Online
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real persons legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
I use a password that’s made up of two parts:
First part is a very strong password consisting of multiple common words, like the example in the article, with some letters swapped out for numbers and some uppercase. Into that I add a special character(s) and number(s). It shouldn’t use anything unique to you either like pets name or whatever, just completely random.
Second part is unique to the site or service generated by my own system I’ve devised, simplified example bellow.
I only need to remember one strang password and the system I use to generate the unique part to have very strong and unique passwords for everything that I can enter quickly on the fly without much effrot.
A very simplified example for ispreview would be correcthOrsebatt3ryStaple#3iR3.
correctHorsebatt3ryStaple#3 – common part, same for every site.
iR3 – i = first letter of first word in site name. R = first letter of second word in site name capitalised. 3 = my code for a news site.
The full password looks complicated but it’s easy to generate, the unique bit should be longer in actual use but you get the idea. You can also obvioulsy insert it anywhere it doesn’t have to be on the end it could sometimes but in the middle or whatever based on your own criteria within the system you devise.
Once you have learnt the one strong password and divised a system for the unique bit you don’t even need a password manager.
Just use a PW Manager. Your cipher is not as unique or strong as you think.
If you choose not to, see you on haveibeenpwnd in the near future.
I have to agree with Chacha, that isn’t anywhere near as secure as you think, even if the second part was considerably longer. The current minimum recommended password length is a minimum of 3 random words separated with a punctuation mark including at least one number. for example Dictionary-Thesaurus-Diabetes-37 And NEVER EVER reuse a passphrase. Also, for the love of all things good, please use MFA via an authenticator app if you must use the google app DO NOT TURN ON SYNC as there is no evidence the backed-up codes are encrypted.
Your assumption is your downfall.
If you want to try this yourself, pop your email into https://haveibeenpwned.com/ and it’ll reveal if you’ve appeared on any of the password sharing lists out there. Crucially it will not tell you what the password was to prevent the site being used for abuse, but it’ll give you some idea.
Most important piece of advice from VMO2 was use a password manager. I am personally a big fan of BitWarden, but 1Password is also great. Do not use LastPass.
Perks of using a catch all email service! Any email sent to my domain comes through to my inbox meaning every single website I use has a different email address on file! The email address is usually the website spelled out using predictive text on an old Nokia phone! For instance, my email address to login to Facebook is 32232665@bobmail.com (not my actual domain) where as my email address to login to Netflix would be 6383549@bobmail.com – A human might eventually clock on, but considering they use bots I don’t feel I need to worry!
It’s also a great way to control spam and figure out which companies sell your email address to the highest bidder! If I suddenly started getting loads of spam emails to one specific email address, I will know exactly which website sold it based on the alias and be able to block all emails coming from that address!
I use iCloud hide my email as it basically does the same thing, it creates a unique email address each site I sign up for..
Does anyone else remember when we were told to watch out for website redirects? If you go to one website and it then puts you on another, it means you’re at risk? Well, isn’t that what happens under the Online Safety Act?
Virgin are a disgrace. I have been a customer for 20 years I haven’t had email work on PC or Laptop for over 3months. You cannot contact All there UK store telephones numbers have been disconnected
I am still without emails apart from the iPhone I want to go go through an official way of discrediting this company Bit you cannot get near them. The whole company is hidden. But if you email them. ? See what I’m getting at. You CANNOT CONTACT VIRGIN ANY ! Help appreciated
Agree, Virgin Media are a truly awful company, from their Broadband pricing structure to the outsourcing of their customer services. Best to avoid them completely, unless you have no other option!