A week ago my ntlworld account got hacked. I recovered it, thankfully, but have been monitoring the forums since and it seems this has been happening to an awful lot of people. It caused me a great deal of anxiety (my Microsoft account was also hacked) and others seem to be suffering as well.
I’m still a VM customer but am making steps to stop using my NTL email account, but it seems there are some questions for VM to answer -
1) Why are email accounts associated with closed VM accounts not closed down and deleted after 90 days as per contractual terms?
2) What are VM doing about account security? This many people being hacked can’t be solely down to poor individual user security.
3) When I’m in a position to stop using my NTL email account, can I delete this myself - the address linked to the primary account holder is not an NTL/VM/Blueyonder email address - and then be sure it WILL be closed and cannot be hacked?
COME ON VM!! I’ve seen reference from forum staff in relation to (1) above that “some fall through the net” - NONE should fall through the net, start complying with your own contractual terms!
If there’s a problem with VM security, which it certainly seems there is, be good enough to admit it AND FIX IT. We pay a pretty penny every month to use your services and expect a decent quality of service.
Fundamentally, the problem is that VM's email service is outsourced on the cheap, is no longer a "core service", is used only by a few hundred thousand customers, hasn't been provided to any new customers for a year or more now, and will eventually be completely closed down. Whilst the poor security is evident, ask yourself why VM would spend any money addressing that? The nature of any outsource agreement is that any change not carefully planned into the service level agreement at the start is always charged at wildly expensive "non standard service rates", so changes to improve security will be massively expensive to VM, even if the email provider only needs to flick a switch. And I'd guess that the obvious change of mandatory 2FA for password changes or universal reset of passwords to ISP-set randomised passwords would be both painful and expensive.
From the number of complaints about VM emails being hacked, I'd guess that scammers have found some specific vulnerability about VM's email service, and are using that to hack accounts. Perhaps it permits unlimited login attempts and doesn't have timeouts or other security measures, and/or doesn't treat attempted password changes from non-UK IP addresses as suspicious? Given the originally very limited number of characters allowed for VM accounts, simply brute-force attacks trialling all the 10,000 most common passwords would offer up a good haul for the criminals (and note that there's readily available lists of the 100,000 and 1,000,000 most frequent passwords. The other possibility would be that the email provider's internal security has failed, and they are the ones who've been compromised.
Regarding the accounts continuing to be used by non-customers, that's been something VM have been slowly trying to tidy up for a while now, but only from the perspective that it costs VM money to provide the email service. Those sweeps to close off non-customer accounts have never been 100% effective, that'll be because they're undertaken to VM customary standards of excellence.
Hi Leffemonster, thanks for the message and sorry to hear that there has been an issue with the email address.
Every 90 days we do a purge of emails and there are some instances when they fail to be deleted but this can be resolved via an IT ticket. This would not be the case with an active account.
When our internet security detects an issue with an email address they will contact you and ask you to update the password, they normally lock the account and will not be unlocked until the password is changed.
When you leave we will be able to raise an IT ticket to close the email.
We recommned that all customers use a stong password and have an antivirus checker running