Saturday 24 October 2015

Talktalk data loss

I was wondering what someone who could access all of TalkTalk's data would get. So I checked what they have on me. Or at least, I checked what I can access via the "Myaccount" web site. Maybe they have data on me apart from that, but I doubt it, I don't give out data on me unless there's a need-to-know. If people insist on me giving them data that I don't thnk they need to know, then I make something up, which keeps them happy. Yes, I know it's daft. But it makes for an easier life than arguing with some jobsworth "No, you don't actually need to know my birthday". Facebook thinks I'm 115 years old.

Name (which isn't actually my name), address (which isn't my street address), phone number, username for talktalk account and password (now changed). They'd have my mobile number, but I didn't give it to them.

Then, for DSL accounts:

login, ip address, password (they don't store it one-way encrypted!)
Email name, email password (I don't use their email, but now someone else can).
Webspace URL, username, password (I don't use their web space)

I don't see how I can change that password using their web site. The method that they give on their web site, doesn't work. Here's what I get:

Email information and settings for

No Information available at this time. 

 All the passwords for email and web space are displayed, so they aren't even storing them encrypted (they should use a salted hash). Duh! Security 101, you don't keep passwords where someone online can read them, not even the user! Here's Graham Cluley's article on this. And here's a nice explanation, how not to store passwords.

So tough luck on anyone who is actually using their TalkTalk mailbox.

No comments:

Post a Comment