You’d think with Sony’s big security hiccup last year, where most PlayStation 3 owners had their details stolen by hackers, that companies would have learned their lesson. Virgin, despite having a founder who I heartily agree with on a few things, seems to be one of those companies, as according to an admission on its official Twitter account, phone authentication passwords are stored in plaintext.
This all came about because one Twitter user commented that a phone operator at Virgin had just read his password out to him. A Virgin representative quickly responded that not all passwords are stored in plaintext, just the one for phone authentication. It did admit however in a later Tweet, that perhaps the operator should have asked for a couple of characters from the password and not given out the entire thing.
While this might not seem like a big problem in context, if you take into consideration the lengths some people go to socially engineer others’ identities, it wouldn’t be too difficult to gain access to someone’s Virgin account details over the phone. If you can do that, then it’s not hard to think that you could fob your way into a Virgin online account, which could potentially have details on credit cards, subscriptions to services and even more personal information which could then be used to get into other accounts.
KitGuru Says: Hopefully after a bit of light is shined on this instance, Virgin will tighten its security policies. In the mean time, make sure your Virgin passwords aren’t used anywhere else or some nefarious individual might find their way into your account.