Telstra exposes customer user names and passwords to the world
Unbelievable, isn’t it:
http://www.theage.com.au/it-pro/it-news/telstra-probes-privacy-breach-amid-network-outage-20111210-1ooez.html
Email, online billing, BigPond self-care and “My Account” have been down since Friday evening, and Twitter has been in meltdown. Note: it seems that only *incoming* email is affected now – reports indicate that outgoing email is working just fine at time of writing (2:54 EST)
A horrid situation, to be sure, but I do wonder at some of the complaints that I am seeing on Twitter about the action Telstra took.
Imagine if Telstra had held off so it could notify customers first – that would have given spammers/scammers/criminals more time to use stolen credentials.
Really? You really sure you want them to do that? You might be one of the people who had their email username and password exposed.
Anyway…. what’s to be the next step? Obviously everybody at potential risk is going to have to change their passwords, but how to tell them to do it? Turn on email access again and send them an email, hoping that they’ll read it and change their password real quick. But how to protect users for that period of time between email service being reactivated and passwords being changed? At the very least the Bigpond email servers should reject any connections not coming from a computer with a Bigpond IP address – it’s not perfect, and it has it’s drawbacks, but its better than nothing. I don’t envy Telstra the challenges that face them now.
Telstra users actually choose their own password when setting up their accounts in shop nowadays instead of being issued a password by Telstra – I’ve been there when a salesman asked a person to write down their choice of password onto a piece of paper so that he could enter it into the computer. I didn’t like that protocol then and I don’t like it now – I shudder to think how many people use the same password on multiple accounts.
We have no way of knowing how long the data breach existed, or how many people viewed the now disabled web page. I would strongly recommend that affected users change not only their Telstra password but also the password of any other sites that they have used the same password for, ESPECIALLY if they have used their Bigpond email address as their log in name.
In fact, that advice applies to EVERYBODY. Be very careful about sharing passwords across multiple services, and NEVER use non-unique passwords on email, banking or financially sensitive sites. Ask yourself, if a site is hacked or your info is negligently exposed (as happened with Telstra), and somebody got your info from that one site, what other sites could they get access to? Could crooks use your username and password to get into one of your email accounts? Could they then send password reset requests for *other* sites to the email account that they have got into? Think big picture.