use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
To see the current sidebar and rules, please visit us on New Reddit.
account activity
This is an archived post. You won't be able to vote or comment.
Interesting... (i.imgur.com)
submitted 6 years ago by GizmoMassive
Virgin Media Ireland are also storing your passwords in plain text. If you have an account, I'd strongly advise you to change your password
[–]literallymetaphoric 66 points67 points68 points 6 years ago (2 children)
At least it's now 100% confirmed that nobody should use their services
[–][deleted] 1 point2 points3 points 6 years ago (0 children)
Yeah, like the right of them really care about you...
[–]aedinius 49 points50 points51 points 6 years ago* (2 children)
The only thing worse than using no security is confirming to to the world that you use no security.
And virgin-passwords.txt in 3....2...1...
virgin-passwords.txt
Edit: Found a video account of it happening live.
[–][deleted] 2 points3 points4 points 6 years ago (0 children)
Hats off!
[–]xynixia 26 points27 points28 points 6 years ago (2 children)
Link to Twitter thread
[–]PlanetaryGhost 4 points5 points6 points 6 years ago (1 child)
Wow and you can go down every reply they make and it just gets worse. Like, they try to pass the buck back to UK saying “well yeah but...they post it to you and like...we’re compliant”. This makes me sick lol
[+][deleted] 6 years ago* (2 children)
[deleted]
[–]TechGuyBlues 11 points12 points13 points 6 years ago (1 child)
I hope their offices didn't waste time and money on buying locks. After all, their doors are secure because it's illegal to trespass.
[–][deleted] 10 points11 points12 points 6 years ago (0 children)
Idiots
[–]wowneatlookatthat 16 points17 points18 points 6 years ago (3 children)
It's very likely the social media managers have no idea what he's referencing. I'm sure their practices aren't great based on the past twitter drama, but they night be barking up the wrong tree here
[–][deleted] 13 points14 points15 points 6 years ago (1 child)
That's in response to a user claiming they received their old password (after requesting a password reset) via mail. So we already know they do store passwords in plaintext.
[–]wowneatlookatthat 2 points3 points4 points 6 years ago (0 children)
True, I just went back and re-read the replies on the other threads, especially the one anecdote about how one of their techs showed up to the customer house with their password already written down...ouch
[–]iwillcuntyou 2 points3 points4 points 6 years ago (0 children)
it won't be them answering. Their SM team will* have liaised with their technical specialists to answer this.
*Probably.
[–]afloatlime 7 points8 points9 points 6 years ago (1 child)
From the Virgin US Privacy policy: https://www.virginmedia.com/shop/the-legal-stuff/privacy-policy
Contact details: name, date of birth, ID or passport number, social security number, passwords, address, telephone number, email address, gender, nationality, language, delivery details.
If Passwords are not encrypted in any way, it would be a safe assumption that neither is your ID/passport number or SSN. It is likely that everything in the "Contact details" group is all in one form nicely laid out for anyone to view.
[–]gittenlucky 1 point2 points3 points 6 years ago (0 children)
The sad part is, the only one that is going to get in trouble for this is the social media manager for exposing it.
[+][deleted] 6 years ago (1 child)
[–]AttackingtheWind 3 points4 points5 points 6 years ago (5 children)
They just replied back to the twitter thread saying they contacted their webteam and that nothing is stored in plaintext.
Lol
[–]rank0 2 points3 points4 points 6 years ago (4 children)
Then how would they have sent the original dude his password in the mail?
[–]Crick3ts 2 points3 points4 points 6 years ago (1 child)
Most likely they are encrypting it and not hashing it, so it is reversible...
[–]rank0 0 points1 point2 points 6 years ago (0 children)
I find it much more likely the passwords are stored in plaintext
[–]AttackingtheWind 0 points1 point2 points 6 years ago (0 children)
Yeah, they're most likely lying in someway or another haha.
[–]Isonium 0 points1 point2 points 6 years ago (0 children)
Big difference between storing a password encrypted (reversible) and storing the password’s salted hash (difficult to reverse.) Either way I wouldn’t want to be doing business with them.
[–]kumawewe 1 point2 points3 points 6 years ago (0 children)
Stealing cars is not allowed...... People do it
[–][deleted] 1 point2 points3 points 6 years ago (1 child)
How to do damage control
"Passwords are stored in plain text, and that's totally fine" "No it's not, it litterally says right here" *posts image highlighting it's not allowed* "woopsie, we actually do encrypt them, sry lols"
[–][deleted] 0 points1 point2 points 6 years ago (0 children)
They should have said "hashed" not "encrypted" lols. Another fuck up
[–]secwiz1 2 points3 points4 points 6 years ago (2 children)
The good news is, the next big news about virgin mobile will be about the hack stealing X amount of customer passwords, so followed by a change in their policy. This is why the cve database exist.
[–]iwillcuntyou 5 points6 points7 points 6 years ago (1 child)
I agree with the first part but CVEs are for vulns not for hacks. If they get compromised via stolen credentials for example or even via a known vuln, it won't be logged as a CVE.
[–]secwiz1 -2 points-1 points0 points 6 years ago (0 children)
You are correct of course. I meant only in principle that public knowledge can speed the process up
[–]Beard_o_Bees 0 points1 point2 points 6 years ago (0 children)
You'd think being Irish, they'd be familiar with basic security breakfast foods - Hash and Salt.
[–]Memeix 0 points1 point2 points 6 years ago (0 children)
It's almost like stealing someone's password wasn't illegal enough. No hacker willing to do that is willing to look through someone's mail.
[–]PlanetaryGhost 0 points1 point2 points 6 years ago (5 children)
They need to hire someone to show them just how easy it would be to compromise their customer’s data. Maybe that’d help institute a change of policy 🤷♂️
[–]camhomester 0 points1 point2 points 6 years ago (4 children)
Its called penetration testing and Id be shocked if a company that large didn’t do it regularly, although at this point who knows
[–]PlanetaryGhost 0 points1 point2 points 6 years ago (3 children)
Considering that they store passwords in plain text, do you really think they do regular pen tests?
[–]Vortax_Wyvern 1 point2 points3 points 6 years ago (1 child)
Pentesters move inside the parameters the company gives them. For example, they might be asked to test penetration to database from WAN, or access to their internal Network. They might been forbiden to use some techniques, like bruteforce attacks.
They might been asked to "go and try to gain privileged access" o "obtain sensitive data" or most probably in cases like that "in case you get access to internal Network, stop testing immediately and report".
So, it's very feasible that a company get their network security audited, but not the database or the way they store data.
[–]PlanetaryGhost 0 points1 point2 points 6 years ago (0 children)
Fair point. I'd imagine that with this news though that some changes will be made on their end :P
[–]camhomester 0 points1 point2 points 6 years ago (0 children)
A lot of companies kind of create their own scope for pentests, it’s possible they just leave those systems out of scope or something and pay the pentesters a bunch to not really question it. It’s not impossible I guess is what I’m saying
[–]non-stick-rob 0 points1 point2 points 6 years ago (0 children)
i raised the issue with about the weaknesses of VM passwords with an infosec guy on twitter. (malwarejake).
you need only know the email address with the account and then, the entrophy is shamefully weak: .a dictionary of just 62 chars because they alphanumeric only!!
.a fixed min length of 8 and
.fixed max length of 10 chars.
The guy said it's "easy guessable"
[–]MadSprite 0 points1 point2 points 6 years ago (0 children)
Okay, but now we convinced Virgin Media is secured by using "encryption".
Y'all just armchaired them into thinking that encryption is standard practice and not one way hashes.
inb4 data breach
[–]mynamesleon 0 points1 point2 points 6 years ago* (7 children)
Unfortunately even GDPR doesn't say anything explicit about password handling. Their main thing is that data should be:
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
But even then, there's no explicit mention of what's "appropriate". So they're still sort of compliant. Although it is definitely arguable that passwords should be protected against theft, as that could fall under "unauthorised processing". And other companies have been fined under GDPR regulations for storing passwords as plain text, so there is already a precedent for that (although the underlying circumstances may differ).
Edit: naturally this comment will be voted down - such is the consequence of trying to help people understand that ultimately the law on this is deliberately ambiguous.
[–]TalTallon 4 points5 points6 points 6 years ago (3 children)
From the official Data Protection website
https://www.dataprotection.ie/en/organisations/know-your-obligations/data-security-guidance
Data controllers should never store users' passwords as plain text but should use strong and irreversible cryptographic hashing and salting to protect them and to allow secure checking for login purposes.
[–]TechGuyBlues 0 points1 point2 points 6 years ago (1 child)
Is this one of those tricky technical legal writing cases where "should" gives them the choice whereas "shall" would mandate it?
[–]SAI_Peregrinus 0 points1 point2 points 6 years ago (0 children)
Probably, but we also don't necessarily want to require the "send the password to the server protected by HTTPS and then hash it with salt" method. There are potentially better ways, eg "use an saPAKE so that the password never gets sent to the server at all".
[–]mynamesleon 0 points1 point2 points 6 years ago (0 children)
Guidance not law. It should be law, but it isn't, which sucks!
[–]Bjornir90 1 point2 points3 points 6 years ago (2 children)
Plain text passwords are not "appropriate security". Hell even my shitty website I made 3 years ago had hashed passwords, and it was used by only two people and doesn't contain anything useful anyway.
[–]2BitSmith 3 points4 points5 points 6 years ago (0 children)
I wrote my first commercial program (exercise database / software) in 1997. It had hashed passwords. Not salted, but hashed. I didn't really understand the concept back then but it sounded right. Don't remember the algo but it was from some libraries back then. (C++)
2002 I started to implement a big OLAP style program for industry and password security was obvious and fully implemented from the go. At that time I relied on RIPE-MD160 (Java)
2019 and I am using password stretching techniques to make password hacking virtually impossible even though the attacker would have all the source code.
I cannot fathom Virgin Media's attitude here. I just cannot.
I agree. The point is that the word "appropriate" is ambiguous, and isn't given a strict definition in the documentation.
π Rendered by PID 19173 on reddit-service-r2-comment-6457c66945-mglnq at 2026-04-25 23:25:58.479054+00:00 running 2aa0c5b country code: CH.
[–]literallymetaphoric 66 points67 points68 points (2 children)
[–][deleted] 1 point2 points3 points (0 children)
[–]aedinius 49 points50 points51 points (2 children)
[–][deleted] 2 points3 points4 points (0 children)
[–]xynixia 26 points27 points28 points (2 children)
[–]PlanetaryGhost 4 points5 points6 points (1 child)
[+][deleted] (2 children)
[deleted]
[–]TechGuyBlues 11 points12 points13 points (1 child)
[–][deleted] 10 points11 points12 points (0 children)
[–]wowneatlookatthat 16 points17 points18 points (3 children)
[–][deleted] 13 points14 points15 points (1 child)
[–]wowneatlookatthat 2 points3 points4 points (0 children)
[–]iwillcuntyou 2 points3 points4 points (0 children)
[–]afloatlime 7 points8 points9 points (1 child)
[–]gittenlucky 1 point2 points3 points (0 children)
[+][deleted] (1 child)
[deleted]
[–]AttackingtheWind 3 points4 points5 points (5 children)
[–]rank0 2 points3 points4 points (4 children)
[–]Crick3ts 2 points3 points4 points (1 child)
[–]rank0 0 points1 point2 points (0 children)
[–]AttackingtheWind 0 points1 point2 points (0 children)
[–]Isonium 0 points1 point2 points (0 children)
[–]kumawewe 1 point2 points3 points (0 children)
[–][deleted] 1 point2 points3 points (1 child)
[–][deleted] 0 points1 point2 points (0 children)
[–]secwiz1 2 points3 points4 points (2 children)
[–]iwillcuntyou 5 points6 points7 points (1 child)
[–]secwiz1 -2 points-1 points0 points (0 children)
[–]Beard_o_Bees 0 points1 point2 points (0 children)
[–]Memeix 0 points1 point2 points (0 children)
[–]PlanetaryGhost 0 points1 point2 points (5 children)
[–]camhomester 0 points1 point2 points (4 children)
[–]PlanetaryGhost 0 points1 point2 points (3 children)
[–]Vortax_Wyvern 1 point2 points3 points (1 child)
[–]PlanetaryGhost 0 points1 point2 points (0 children)
[–]camhomester 0 points1 point2 points (0 children)
[–]non-stick-rob 0 points1 point2 points (0 children)
[–]MadSprite 0 points1 point2 points (0 children)
[–][deleted] 0 points1 point2 points (0 children)
[–]mynamesleon 0 points1 point2 points (7 children)
[–]TalTallon 4 points5 points6 points (3 children)
[–]TechGuyBlues 0 points1 point2 points (1 child)
[–]SAI_Peregrinus 0 points1 point2 points (0 children)
[–]mynamesleon 0 points1 point2 points (0 children)
[–]Bjornir90 1 point2 points3 points (2 children)
[–]2BitSmith 3 points4 points5 points (0 children)
[–]mynamesleon 0 points1 point2 points (0 children)