cancel
Showing results for 
Search instead for 
Did you mean: 

Possible hacking

ALF28
Super solver

On two occasions jan and Feb 2020 the password failed on my virgin secondary email login,had to reset using security question. It is the email address used for community. There was nothing wrong but not sure why password failed for no apparatus reason. It ia a virginmedia.com email. Is there a way to ensure the 10 digit password is strong, I normally use upper and lower case letters and some numbers, what are the restrictions if any, I assume symbols not allowed. When the failures occurred I tried several times retyping user name and paswords to check my typing, same result failed.

Can 10 letters be used or is it best to include some numbers which I do, but an example of a very strong 10 digit  password would be useful, I presume best to avoid words in case of dictionary attack or names, birthdays etc.

I suppose at the time the virgin log in may have been down temorarily but it said wrong details entered but the password reset worked and let me in.

.

 

11 ACCEPTED SOLUTIONS

Accepted Solutions

Katie_WT
Forum Team (Retired)
Forum Team (Retired)

Hi there @ALF28

 

Thanks so much for your post - sorry that you had some issues with your password for your emails recently. 

 

Glad to hear that you did manager to go through the password reset though. 

 

In regard to setting a "Strong" password, we would always advise to not use any dictionary word and use a variation of numbers and letters.

 

For things like your MyVirginMedia password, the only restrictions are that it starts with a letter and contains at least 1 number. It must be between 6 - 10 characters long. 

 

For more information on setting a strong password, take a look at our dedicated help page here: Setting a Strong Password

 

Cheers

Katie - Forum Team


See where this Helpful Answer was posted

ALF28
Super solver

If a hacker got into account he could change the security question and lock you out, there is no ecovery email system ? And if so should an alternative email be entered in the profile. As there is no verification system using sms text or reset codes like Gmail,  outlook for example. IT is very dangerous to loose contol of email. Although I have had passwords fail a few times including primary account, I have been lucky and always managed to get back in.

Secondary emails can of course be deleted by the account holder and new one s easily opened, an advantage there.

I personally always use web mail, having tried thuderbird the emails had wrong time stamps and folders did not always work well.

If a hacker knows your email can they use a client to try to hack password or would virgin still block multiple attempts by client.

Also if you use a client your data is on a clients server as well as virgin, possibly less secure so I never use clients like thuderbird,  bluemail etc.

See where this Helpful Answer was posted

Katie_WT
Forum Team (Retired)
Forum Team (Retired)

If you ever have an issue and are unable to reset your password for any reason or beleive you have been hacked, our Tech Support can go through security with you and reset your password for you @ALF28

 

Ensuring customer data is secure is of utmost importance to us and we continually invest in our security systems to keep our customers safe online.

 

In common with every other company, our login process requires customers to use unique passwords using a variety of characters. Additional technical controls and anti-fraud measures defend against unauthorised login attempts.

 

Our engineers regularly review our systems and carry out updates – and account security is always a top priority.

 

Cheers

Katie - Forum Team


See where this Helpful Answer was posted

newapollo
Very Insightful Person
Very Insightful Person

Hi ALF28,

Nothing has changed on the forum log in page.

I use the forum auto login feature to keep me signed in on my main PC, however I don't have this enabled when using a tablet or mobile.

Each device can be individually set to remain signed in via the forum home page.

As you can see from my screenshot (taken after I purposely logged out) my username and password fields are pre filled allowing me to just click on sign in.  This is because I enabled the save password feature within my Google Chrome browser.

To disable that I would have to log into my browser settings and delete the saved password for that site.

After doing that the next time I would need to manually enter my sign in details for that site, however there would be a pop up box from my browser asking if I wanted to remember those details. I would then have a choice yes or no.

 

Clipboard01.jpg

Dave
I don't work for Virgin Media.
I'm a Very Insightful Person, I'm here to share knowledge.
Problem solved? Click to mark as a Helpful Answer, or use Kudos to say thanks
The do's and don'ts.
Keep the community welcoming for all. Please read the FAQ's
The Service you do for others is the rent you pay for your room here on Earth - Muhammad Ali

See where this Helpful Answer was posted


@ALF28 wrote:

what is auto sign in????

on my computer I always input user name and password to log in, so how does auto sign in work and if I can not switch it off is this a security risk.

seems no one has an answer to this one????

why provide the option if it does not function?  is it linked to the radio button at log in?

where are the experts??? perhaps they do not know the answer either???

is this a temp glitch?

any one else got it or just me??

If it is not switched off , and can not be switched off, does that mean access to my account is open and nor secure?


 

Automatic login means that the "Cookie" stored when you logged in will use a "Session ID" token to log you in with future visits.  Sites are generally tied to the IP and the Hardware information, so if your IP changes or you try copying the "Cookie" to another computer then the site would force you to log in again.  Your Password and Username should never be stored by the website (it's possible but really unlikely).  Delete all your cookies and it will "log you out".  Be aware this is different than the browser storing the login details, cookie or not the browser can be set to remember the username and password.

I can see you have a lot of concerns going by your other post.  Let me say this, a google or darkweb search of your email will bring up a lot of listings. The avast search seems to be a bit meh...  I have a few accounts that have had leaks happen and the avast search doesn't pick up on any of them, Avast are big with ad-pushing so expect a load of ads.  https://haveibeenpwned.com/ has been around a lot longer and might be of more use to you.  If Avast are sharing whole passwords with you then that's bad and they should be ashamed.  As you mention, having an email account stolen is bad, but what if Avast now sends a stolen email account a list of all passwords leaked with that email account and sites used - that can now be reset.  You should look at the list and if it shows a password you use stop using it, sites that it list you should at a minimum reset the passwords to (if they are legit sites you have used).

Virgin media should introduce 2FA into password resets, even if a option that must be enabled, shame on them and their lax security design.  I imagine it's because they would have a difficult time training the staff to support it, and have a difficult time with customers that struggle to use it.

"Hacking" users is really quite rare, yes some papers will say that a "hack" is attempted every 30 seconds, and that's likely true.  With 4.5 billion people on the internet then you can see that 1 million people getting "hacked" every year really isn't a biggie (assuming every attempt was against a person, and every one was a success).  Most hacks are against large companies and most of those are failures.  Small sites tend to be "hacked" often enough for one to be concerned, but as you point out - don't use the same password(s).

In regards to Gmail allowing disabling of IMAP and POP, be aware it still allows IMAP and POP but you log in using OAuth2 instead (the hosting packages are different).  What Google does have good is the ability to see (and disconnect) devices, and see historical usage such as the devices and IP addresses that were used to sign in.  Virgin doesn't have this ability at all and they should.

If your really concerned then you could open a email account with someone else (that offers 2FA or 3FA) or even logging in with a FIDO key (Yubikey, Google Titan, few others - avoid Bluetooth).  A FIDO based password manager.

Be aware that just because a search brings up your email address, it doesn't mean much unless they have the password to go with it.  In the old days spammers would target every email address - and the mail servers would respond by saying user doesn't exist.  so a@vm.com then aa@vm.com then aaa@vm.com (You get the idea).  Sometimes you make a spam list just because it knows the account is real and active.  Like the double glazing door knockers that are more persistent if you have 3 cars in the driveway.

----
I do not work for VM, but I would. It is just a Job.
Most things I say I make up and sometimes it's useful, don't be mean if it's wrong.
I would also make websites for them, because the job never seems to require the website to work.

See where this Helpful Answer was posted

newapollo
Very Insightful Person
Very Insightful Person

ALF28,

Forget about Google still showing your old IP address. They actually keep a record of something around the last 10 ip addresses you used. 

If they thought you were being compromised they would soon let you know. In fact they usually send an automated email if they see you ahev signed in from a different device/location to normal.  They have their own cache which is independent to your browser cache and so may take a while to update and show the new IP address.

You can log into your hub browser and confirm the IP address you have been allocated. 192.168.01.1  Admin > Info >  IPv4 address which will correspond with the one you are seeing when looking at the whatismyipaddress website.

Dave
I don't work for Virgin Media.
I'm a Very Insightful Person, I'm here to share knowledge.
Problem solved? Click to mark as a Helpful Answer, or use Kudos to say thanks
The do's and don'ts.
Keep the community welcoming for all. Please read the FAQ's
The Service you do for others is the rent you pay for your room here on Earth - Muhammad Ali

See where this Helpful Answer was posted

newapollo
Very Insightful Person
Very Insightful Person

Hi again ALF,

VM probably changed your IP address when they where doing local maintenance work. That could have been due to local issues or segmentation. You might need to pair your tp link to your router again as it may still be looking for the old ip address?

Dave
I don't work for Virgin Media.
I'm a Very Insightful Person, I'm here to share knowledge.
Problem solved? Click to mark as a Helpful Answer, or use Kudos to say thanks
The do's and don'ts.
Keep the community welcoming for all. Please read the FAQ's
The Service you do for others is the rent you pay for your room here on Earth - Muhammad Ali

See where this Helpful Answer was posted

Anonymous
Not applicable

@ALF28 wrote:

HACKING

how long to crack your virgin password-test a similar one just to see how secure it is.

see

How Secure Is My Password?

Mine came up 3 days, not long. Only 10 digits is poor these days. (numbers, lowercase and upper case, has no special characters)

 


The problem with that logic is. It assumes you can check 100,000 passwords a second. This assumes local attacks with no account lockouts in place.


If you can only check 10 password attempts before locking the account out you can't brute force the passwords online.

But never use VM or any ISP email. They are free services because a long time ago it was expected that ISP gave emails so they still do at the lowest cost.

Go with a free or paid services whos business is email and not an ISP

See where this Helpful Answer was posted

By far the most common way that people’s accounts are ‘hacked’ is due to the fact that even now, despite all good advice, many still insist on using the same password / email address combination across multiple sites. If only one of them gets breached then that password and address is tried against all sorts of sites (it’s often referred to as credential stuffing), absolutely no hacking skills required whatsoever.

And, of course the other common method is via a bogus website which looks exactly like the legitimate one, get a user to visit the bogus site, enter their credentials and that’s it.

See where this Helpful Answer was posted

coenoby
Very Insightful Person
Very Insightful Person

@ALF28 wrote:

If brute force attacks are locked out after 10 tries, how come customers still do get hacked, must be the data breach


Also, don't forget about the effects of malware on your devices which can be installed in a variety of different ways and is good at hiding itself.

Keyloggers can steal your passwords by logging your keystrokes and autofill capture software can steal passwords stored in your browser.

Plus of course, there are the remote access scammers who convince their victims to allow them to access their computer using software such as Teamviewer.

Coenoby

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media.

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

See where this Helpful Answer was posted

Anonymous
Not applicable
"A hacker can easily get control of computers"
Ok now you are just scare-mongering.

Hacking is not easy. Its not as wide spread as you think.
unless people are stupid and give away passwords the chances of being hacked are pretty small

See where this Helpful Answer was posted

54 REPLIES 54

Katie_WT
Forum Team (Retired)
Forum Team (Retired)

Hi there @ALF28

 

Thanks so much for your post - sorry that you had some issues with your password for your emails recently. 

 

Glad to hear that you did manager to go through the password reset though. 

 

In regard to setting a "Strong" password, we would always advise to not use any dictionary word and use a variation of numbers and letters.

 

For things like your MyVirginMedia password, the only restrictions are that it starts with a letter and contains at least 1 number. It must be between 6 - 10 characters long. 

 

For more information on setting a strong password, take a look at our dedicated help page here: Setting a Strong Password

 

Cheers

Katie - Forum Team


ALF28
Super solver

If a hacker got into account he could change the security question and lock you out, there is no ecovery email system ? And if so should an alternative email be entered in the profile. As there is no verification system using sms text or reset codes like Gmail,  outlook for example. IT is very dangerous to loose contol of email. Although I have had passwords fail a few times including primary account, I have been lucky and always managed to get back in.

Secondary emails can of course be deleted by the account holder and new one s easily opened, an advantage there.

I personally always use web mail, having tried thuderbird the emails had wrong time stamps and folders did not always work well.

If a hacker knows your email can they use a client to try to hack password or would virgin still block multiple attempts by client.

Also if you use a client your data is on a clients server as well as virgin, possibly less secure so I never use clients like thuderbird,  bluemail etc.

Katie_WT
Forum Team (Retired)
Forum Team (Retired)

If you ever have an issue and are unable to reset your password for any reason or beleive you have been hacked, our Tech Support can go through security with you and reset your password for you @ALF28

 

Ensuring customer data is secure is of utmost importance to us and we continually invest in our security systems to keep our customers safe online.

 

In common with every other company, our login process requires customers to use unique passwords using a variety of characters. Additional technical controls and anti-fraud measures defend against unauthorised login attempts.

 

Our engineers regularly review our systems and carry out updates – and account security is always a top priority.

 

Cheers

Katie - Forum Team


hope your engineers do review security, as I have in the past and recently had to reset my passswords on secondary accounts to log in but I am secure I hope at the moment.

however I provide my thoughts as feedback- If someone did get get your password via middleman software attack for instance, easy to do I understand these days, the they could hold your password without you knowing and view your personal  emails, a high securuty risk.

I have started to use vpn  as better security but think virgin should at least consider the following extra security.

last access date data, 2 step log in using sms text to mobile, email verification for password change, not just security question, backup security codes.

I know you say the virgin email is secure, but without 2 step verification one is never totally sure that no one else can get in if they hack your password and email address, that's all you need. I set my browsers not to remember passwords just in case. Also I only use web mail now as third party clients store your email possibly on insecure servers.I do regularly change my password just in case. Pleased to see you use robot checking though  which clicks in if I log many times in a short period, some re-assurance there.

so just wondered why virgin email has less protections than some free email services?

also most online accounts now display last login date and time, perhaps that would be a good idea for virgin accounts./email not sure if virgin do that?

Rachael_F
Forum Team (Retired)
Forum Team (Retired)

Hi ALF28,

 

We really appreciate your feedback and welcome any constructive comments our customers have to offer!

 

We'll pass your suggestions on to our internet security team for their consideration.

 

Thanks,

Rachael

strange thing has occurred several times to me, I log in and see an email has moved from its allocated folder to a different folder,yet on previous log in that folder was empty, not sure why it happens or if there has been a glitch after moving the email but on some occasions it moves to the spam.

so, not sure if it me doing mistakes or some quirk of the system but is a regular occurance, (wondered if anyone else gets this?)

I can see no reason for it to happen so puzzled and even thought some one else has done it?

will continue to observe this and see if  continues.

 

Hi ALF28

Your concerns have been passed on to our internet security team.

Please do keep us updated.

Regards

 

Lee_R

Some days logging into virgin account  recently captcha requires robot check, then when logged into the account I click on  email requires to log in again for second time, no problem but if only email is wanted then best to click on the email tab first, however I the found the email kept hanging all the time with thing not working so I "changed my password" which took many attempts as it kept hanging, logged in and out and "all problems stopped and captcha switched off", have had it a few times. So not sure if the system was slow that day or if there was an issue with my account or password. At first I thought it was because too many log in's in a period but discounted as it can be present occur after long break period so appears to be random and the other possibility is virgin have problems or have put captcha on for security issues but I wonder what actually triggers captcha to switch on or is it random?, it is third part software so may be independent of virgin?

I certainly have no objection to captcha and consider it does a good job stopping hacking.

If having log in issues a password change or reset usually cures it from my experience.

PASSWORD FAILED

Could not log into my virgin account today, tried a few times, so had to reset  the password using  the security question and  this worked OK.

Not sure why this happened but changed everything in my profile just to be on the safe side, the account seemed alright but not sure if someone accessed the account/email without permission and changed password??