MPs and Virgin Media customers both caught in password snafu


Passwords have taken centre-stage today as a report by The Times saying Russian-speaking websites are selling the passwords of UK ministers on the dark web coincides with Virgin Media asking its 800,000 customers to change their passwords for fear of being hacked.

The Times has released a report which says that computer login credentials used by government ministers are being sold online on a Russian-speaking website as part of a bigger list combined from other data breaches.

The lists acquired by The Times is reported to include education secretary Justine Greening and business secretary Greg Clark, the former ambassador to Israel and the director-general of the Department for Exiting the European Union.

The lists are also alleged to contain login details for 1,000 parliamentary staff including many MPs, 7,000 employees of police services and 1,000 foreign office officials.

The three most common passwords used by the police, for example, are allegedly 'police', police1' and 'password'.

The credentials appear to have been sourced from other data breaches, and it is now feared these credentials will be used to log into government accounts, as password reuse on other websites is rife.

Despite security guidance to not reuse passwords, leaks of this nature show it might not be working as it should. Naturally, the National Cyber Security Centre is reissuing guidance to government departments on the topic.

Pete Banham, cyber-resilience expert at Mimecast said in a statement: “This latest password cache appears to be recycled from old breaches.”

“However,” he adds, it is “a prime example of how important it is for individuals, especially those in a position of political power right now, to take more responsibility for password strength and reuse between consumer and business services.”

Which raises a fair point: should those in positions of power be savvy enough to at least use two-factor authentication?

Rashmi Knowles, EMEA field CTO at RSA told SC Media UK that “two factor authentication can help to take the wind out of hackers sails. Company's need to wake up to the fact that you can't police stupid, and employees are always going to be the chink in their armour. As such, it is vital that two-factor authentication is a mandatory minimum requirement  in a company's security strategy.”



This news comes as telco Virgin Media asks 800,000 of its customers to preempt a cyber-attack and change their passwords to be safe.

The move is said to be caused by a report from consumer watchdog Which? that says hackers are able to gain access to Virgin Media's Super Hub 2 router, which in turn allows access to the customers' IoT devices.

The Which? report conducted in partnership with SureCloud said that domestic CCTV cameras and children's toys were vulnerable to attack as a result..

Virgin Media says the risk is small, but as with the story above, Which? opined that the passwords to the routers often remain unchanged and thus “SureCloud was able to gain access to it in just a few days.”

Speaking with the BBC, a Virgin Media spokesperson said that “Security of our network and of our customers is of paramount importance to us.” And added that, "We regularly support our customers through advice and updates and offer them the chance to upgrade to a Hub 3.0 which contains additional security provisions."

In its report, Which? called for an improvement of “basic” security provided, saying “The industry must take the security of internet-enabled and smart products seriously, by addressing the basics such as ensuring devices require a unique password before use, using two-factor authentication, and issuing regular security updates for software.”

Alex Neill, Which? managing director of Home Products and Services, said in a press release: “There is no denying the huge benefits that smart-home gadgets and devices bring to our daily lives. However, as our investigation clearly shows, consumers should be aware that some of these appliances are vulnerable and offer little or no security.

“There are a number of steps people can take to better protect their home, but hackers are growing increasingly more sophisticated. Manufacturers need to ensure that any smart product sold is secure by design.”



Earlier in the month, SC reported on a security vulnerability which had been discovered in the same home broadband routers used by Virgin Media customers.

The vulnerability also facilitated hackers gaining access to the device's administrator panel. Researchers from Context Information Security who discovered it, Context's Jan Mitchell and Andy Monaghan, released extensive research on the vulnerability.

A press release from Context said that, “[the] discovered vulnerabilities in a feature allowing users to create backups of their custom configurations - such as port forwarding and dynamic DNS settings – which could be restored at a later date.”

Even though the configuration back-ups are encrypted, the researchers found that the “private encryption key was the same across all hubs in the UK. This meant that an attacker with access to the administrative interface of a user's hub could download a configuration file, add additional instructions to enable remote access and restore the file to the hub.”

Once completed, this process allows access to the router remotely and can be used to monitor internet traffic from any device attached to the router, which includes any computers, phones and other connected devices.

SC asked Which? if these vulnerabilities are connected to its report and it said they are not.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.