Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Telstra exposes customer user names and passwords to the world

December 9th 2011 in Uncategorized

Unbelievable, isn’t it:
http://www.theage.com.au/it-pro/it-news/telstra-probes-privacy-breach-amid-network-outage-20111210-1ooez.html

Email, online billing, BigPond self-care and “My Account” have been down since Friday evening, and Twitter has been in meltdown.  Note: it seems that only *incoming* email is affected now – reports indicate that outgoing email is working just fine at time of writing (2:54 EST)

A horrid situation, to be sure, but I do wonder at some of the complaints that I am seeing on Twitter about the action Telstra took.

 

image

image

Imagine if Telstra had held off so it could notify customers first – that would have given spammers/scammers/criminals more time to use stolen credentials.

 

image

Really? You really sure you want them to do that? You might be one of the people who had their email username and password exposed.

 

Anyway…. what’s to be the next step?  Obviously everybody at potential risk is going to have to change their passwords, but how to tell them to do it? Turn on email access again and send them an email, hoping that they’ll read it and change their password real quick.  But how to protect users for that period of time between email service being reactivated and passwords being changed? At the very least the Bigpond email servers should reject any connections not coming from a computer with a Bigpond IP address – it’s not perfect, and it has it’s drawbacks, but its better than nothing.  I don’t envy Telstra the challenges that face them now.

Telstra users actually choose their own password when setting up their accounts in shop nowadays instead of being issued a password by Telstra – I’ve been there when a salesman asked a person to write down their choice of password onto a piece of paper so that he could enter it into the computer.  I didn’t like that protocol then and I don’t like it now – I shudder to think how many people use the same password on multiple accounts.

We have no way of knowing how long the data breach existed, or how many people viewed the now disabled web page.  I would strongly recommend that affected users change not only their Telstra password but also the password of any other sites that they have used the same password for, ESPECIALLY if they have used their Bigpond email address as their log in name.

In fact, that advice applies to EVERYBODY.  Be very careful about sharing passwords across multiple services, and NEVER use non-unique passwords on email, banking or financially sensitive sites.  Ask yourself, if a site is hacked or your info is negligently exposed (as happened with Telstra), and somebody got your info from that one site, what other sites could they get access to?  Could crooks use your username and password to get into one of your email accounts? Could they then send password reset requests for *other* sites to the email account that they have got into? Think big picture.


Comments are closed.

There has been a lot going on in the malvertizing world lately, with a spike in the number of reports coming in about malvertizing incidents that are occurring because the Ad Server in question is running an old and exploitable version of OpenX – people, we need to be running version 2.8.8. The bad […]

Previous Entry

Oh great…   Imagine this. Some scammer spots the above tweet and thinks, “cool, let’s do some cold calls”… “Hi Mr Telstra customer, we’re calling from Telstra about our screwup last week .. you saw our tweet on our official Twitter account saying we’d call everybody? Cool…” … and […]

Next Entry

Archives