back to article Virgin Media spoof email mystery: Customers take to Facebook

Customers of Virgin Media who are increasingly convinced their service provider has been victim of a security breach have formed a Facebook group to share their experiences and push for answers. Virgin Media is firmly denying any breach of its systems but users are equally adamant that the cause of a widespread and ongoing …

  1. Doctor_Wibble

    Actual breach or a loose HDD?

    We all love to assume someone got hacked but just for the sake of argument (and masochism when this gets shot down) what if the migration also involved temporary use of non-secured storage, e.g. not encrypted and not nailed down?

    If you want a conspiracy, I keep seeing coincidental surges in received spam (and attempts at it) within a matter of days of sending email to both gmail and yahoo accounts.

    1. Tom Chiverton 1

      Re: Actual breach or a loose HDD?

      I can't see any evidence that the accounts weren't just hacked into some other way ? Where's the gun, smoking or otherwise pointing at NTL^WVirgin ?

      1. Doctor_Wibble

        Re: Actual breach or a loose HDD?

        True enough there's that many ways of getting hold of collections of email addresses, and rather oddly I wasn't trying to put the blame on either party, merely trying to help by adding yet more possibilities based on who might have had access to what, and when, and there's also the question whether the HDD in question was 'somewhat unofficial'.

        I certainly didn't want to suggest that google are infallible, there's already more than enough people that do that!

      2. Anonymous Coward
        Anonymous Coward

        Re: Actual breach or a loose HDD?

        the smoking gun is, apparently, that the spoofing began shortly after virginmedia migrated from google (platform) to their own. Whether smoking, I can't say. Coincidence do happen, and so do providers' cockups (and their vehement denials). Given the matter won't be independently investigated (ICO making "inquiries", lol), it probably will never be positively verified either way.

  2. Anonymous Coward
    Anonymous Coward

    Migrated from Google to it's own

    Most commenters here say "mail addresses from years ago" and "held on their "Virgin Media" servers...

    If they only just migrated to THEIR (Virgin) servers, shouldn't you be looking at Google for the leak?

    not to ruin a good rant by introducing a logical thought.....

    1. leexgx

      Re: Migrated from Google to it's own

      very unlikely its google more likely virgin is storing the emails in an accessible way without a password, not sure why virgin went down the trouble of moving part of the way off google mail as it worked perfectly fine until they removed all the gmail brandings and services from the account (its still a gmail account just it now only uses gmail UI now and none of its protections it had in the past)

      like yahoo does accept you can see that they accessed your email account without a password on yahoo, well you used to be able to until they removed the detailed login/IP history page

      it relates to this problem on yahoo

      http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/#gref

      that yahoo have been having for a long time and people's yahoo accounts are still been silently compromised now, they seem to login via the yahoo mail app without a password once they are in they then access the website version and then scan all emails and contacts and send a burst of spam out (this issue still happens as my customer last week had 2 out of there 4 yahoo/btinternet mail accounts accessed for spam sending, they use thunderbird)

    2. Alan Brown Silver badge

      Re: Migrated from Google to it's own

      "If they only just migrated to THEIR (Virgin) servers, shouldn't you be looking at Google for the leak?"

      Not necessarily.

      Yes, all it takes is the credentials for the migration tools to leak to the wrong bods and $BADGUY can access gmail in $GODMODE, but it's far more likely that someone's cocked up within VM and it's leaking data like a sieve as a result, given that kind of access comes with rigid ACLs to ensure that VM would only be able to make the migration work from a tiny number of IPs (Unlike VM, google care about security)

      If it was a user issue, the reports wouldn't have all started up around the same time.

      Occam's razor(*) says it's most likely Virgin. It shouldn't be a great surprise that they're just as bad at email as every other part of the job that requires customer satisfaction and more than just shovelling TV streams down pipes.

      (*) Occam had a beard. All the other philosophers kept borrowing his razor.

      1. PatientOne

        Re: Migrated from Google to it's own

        Some of the reports coincide with the move - not all.

        I had a batch of 'failed to deliver. Reason: Email contained SPAM' alerts recently. All on the same day. This is well after the migration. These seem to be 'clean' but they do include attachments that proport to be the message I sent.

        So... thinking outside the box for a moment, what's the chance this is a scam? That the 'failed to deliver' notifications are fakes (they were bounced from the same e-mail server, and not one I recognise), or they used my e-mail address for the return address but sent the e-mail from one they control. Then I get the notifications and want to investigate, open the attached copy of the message (get hit by a virus perhaps, or just get to see the spam they're sending out - job done), and waste time trying to figure out how my account got hacked (it wasn't).

        This could have been timed to coincide with VM's move from GMail initially as people would assume VM slipped up and got hacked during the move - a bit of distraction to shift attention from what was really going on.

        Sometimes a duck is a duck, sometimes it's a decoy.

        1. Anonymous Coward
          Anonymous Coward

          Re: Migrated from Google to it's own

          OK. How do you explain that the emails going out (only some bounced back, others went through to friends and family) were solely people that had emailed me or vice versa. A lot of them were several years and many computers ago and very often in the cc and bcc lines? They are real contacts of ours. We just didn't send them. There's no trace of them in the sent box.

          I am now starting to get emails back from my contact. They've started using those that they harvested the other way around!

    3. Gio Ciampa

      Re: Migrated from Google to it's own

      "If they only just migrated to THEIR (Virgin) servers, shouldn't you be looking at Google for the leak?"

      Possible... but given that they migrated TO Google not that long before they brought it back (which begs the question - why did they bother in the first place...?), then there are two migrations in short order that could have provided the means for problems to have arisen...

    4. NikkiA

      Re: Migrated from Google to it's own

      accept your comment but my problems started late November early December and I have never held a Google email only virginmedia.com

    5. Kraggy

      Re: Migrated from Google to it's own

      The VM mail system was moved to Google some years ago, before that I have no idea where it was hosted, so these 'old' addresses could well have been migrated from the previous hoster to Google.

      In any case, the Google data was migrated to the new system and all reports I'm seeing infer that the alleged breach occurred after that migration.

    6. AlbertH
      Mushroom

      Re: Migrated from Google to it's own

      The migration is nothing to do with it. They have sold email addresses of their customers since before they were Virgin Media. Friends of mine have recently been receiving spam ostensibly from my old Blueyonder email address - that hasn't been active for almost 10 years.

      VM are one of the most disreputable showers I've ever had the misfortune to deal with. They believe that "Ethics" is a county near London.

      1. Gio Ciampa

        Re: Migrated from Google to it's own

        Took VM at least 5 years to delete my old blueyonder account (and the associated email and file stoage that went with it) after I stopped paying for it... came in handy for a while while I moved it all off

  3. Dan Wilkie

    Um...

    Reading that it sounds EXACTLY the same as the "Bouncebacks" that I occasionally get on Hotmail, Gmail, my hosted O365 (though VERY rarely) and indeed even my corporate mail.

    An NDR that appears genuine with an attachment and so forth. Having poked around the attachments (some cases an actual attachment, some cases a link to a site that attempts a drive by) in a throwaway VM, it's just another attempt to try and trick people into installing things on their machine.

    TL;DR - I think that the NDR's are faked, rather than actual emails being sent as I am not, and never have been a Virgin customer and get the same thing to 4 different email platforms with 3 different providers.

  4. Shades

    ISP Email

    For the life of me I can't understand why anyone would use an email server that is tied to their ISP? Switch ISP and its bye-bye old email, unless you start faffing round exporting your old email and contacts (if the old ISP has such options) and importing them to your new email provider (if they also have options to do so). Then you've got to, if you really want, send emails to all your contacts to make sure they have your new email address, which unless they are business contacts, 99% of the recipients will never see anyway! Then you have to update all your website login details that use the old email address, before the old ISP kills off the old account as detail change confirmation emails sent to the old email address will end up vanishing somewhere in the internet and your website login details will be stuck forever (unless the site has a friendly admin... and some don't!)

    No matter how you look at it using an ISP provided email server is pretty silly.

    In an ideal world I'd have my own email server, but I'm far too lazy for that. So, understanding the risks, and my own laziness, its just simpler to use an email provider/service that isn't tied to an ISP.

    1. Anonymous Coward
      Anonymous Coward

      Re: ISP Email

      "why anyone would use an email server that is tied to their ISP?"

      by means of an answer I provide a question:

      "What's a mail server?"

      No, seriously, this IS the answer.

      1. Anonymous Coward
        Anonymous Coward

        Re: ISP Email

        But the person quoted at the end of the article claims some of those afflicted are 'savvy IT professionals'. Having an email address tied to your ISP makes it hard to agree with the "savvy" part.

        1. Adam 52 Silver badge

          Re: ISP Email

          Perfectly possible to have your own domain and use your ISP's email servers and a desktop pop/imap client for long term storage.

          That's what I do, what do the rest of you do - run your own 24/7 redundant and monitored mail infrastructure? Or use gmail/Hotmail?

          1. Doctor Syntax Silver badge

            Re: ISP Email

            "what do the rest of you do - run your own 24/7 redundant and monitored mail infrastructure? Or use gmail/Hotmail?"

            Neither. Use a 3rd party service to host my own domain. Along with Hotmail where it's likely spammers will get hold of it. Set up a mail alias for each bank, insurer or whatever - and kill it if they decide to send valuable marketing communications spam.

        2. Alan Brown Silver badge

          Re: ISP Email

          WRT savvy professionals:

          Having an ISP provided email address doesn't mean actually using it. Such accounts come "free" with your account.

    2. Anonymous Coward
      Anonymous Coward

      Re: ISP Email

      Obviously YOU don't run a business that requires IMAP, Exchange or Active Directory and you enjoy the stupidity and insecurity of webmail.

    3. Richard Cranium

      Re: ISP Email

      "No matter how you look at it using an ISP provided email server is pretty silly."

      I was about to write almost the same.

      And Virgin's (old) gmail system wasn't the same as "real" gmail but some kind of older version, for example it didn't offer Gmail's two factor security. Presumably it was on an old codebase (on Virgin' servers?) and Virgin had to ditch it as I guess no ongoing maintenance from Google.

      For ISPs the email offering must just be an expensive overhead - they're expected to include email with their broadband package but then get all the hassle of support calls from those so dim they actually use it in preference to a separate third party alternative. The economies they make mean the spam filters are often very crude resulting in false positives and binning some "good" mail (not even putting it in a spam folder). Their low budget for email provision means outages can be lengthy.

      1. John Brown (no body) Silver badge

        Re: ISP Email

        "Presumably it was on an old codebase (on Virgin' servers?) and Virgin had to ditch it as I guess no ongoing maintenance from Google."

        Google thought it would be a good idea to offer "email as a service" to ISPs for a few years, then like many "beta" Google services decided to withdraw it from everyone. It wasn't a VM decision. (although it was VM who decided they could save money farming out email to Google in the first place,)

        My guess is that Google had collected all the email addresses and content it needed for whatever the underlying purpose was and then pulled the plug.

        I can't comment on the codebase in use. I only ever used their webmail once to turn off all filtering and then continued to use pop3/smtp as normal. Not that I use it much anyway since I also use my own hosted domain email, but @blueyonder.co.uk is the one VM prefer to use if they need to tell me stuff.

  5. Richard Boyce
    Facepalm

    Reliance on broadband provider for email

    Why would someone who is IT-savvy remain reliant on a Virgin email address for 20+ years? He should've bitten the bullet and migrated email away from his broadband provider a long time ago, either to a Google address (or similar) or, better still, a domain of his own which can be hosted anywhere. Better late than never.

    1. Nick Ryan Silver badge

      Re: Reliance on broadband provider for email

      I've just logged into my Virgin email account. Went past some crap about "if you don't login regularly we might disable your account" (which obviously wasn't being applied to my account) and admired the long stream of "important" messages from Virgin Media. All unread. Apparently I can upgrade my Internet speed from 150Mb to 100Mb, although they forgot to mention "up-to" and the small points that the upload speed will still suck balls and if you attempt to download something during "peak time" (i.e. anytime until 8pm at night) your entire account will be throttled to buggery.

  6. inmypjs Silver badge

    Around 70

    An ISP with millions of customers has a security breech/leak/exploit affecting around 70 of them?

    Doesn't seem at all plausible. Who would bother doing anything special for 70 email addresses?

    Stupid people give all kinds and apps and 3rd parties access to their contacts and gmail accounts. That is more likely how the contact information got leaked, virgin running on gmail may have helped.

    There seem to be a lot of emails going round looking like they come from person X sent to contacts in person X's address book and containing not much more than salutations and a link to a compromised web site. I had one signed with a friends obsolete yahoo email address.

    1. Anonymous Coward
      Anonymous Coward

      Re: Around 70

      70 are bothered / suspicious / bored (?) to report it. We-don't-know-how-many just hit a "delete" button, for various reasons. That said, I'd still expect the breach to be much wider, hence the ripples well past the 70 mark. On the other hand, very, very seldom, I do get very, very targeted phishing e-mails. (My business partners tend to pay their project managers peanuts, hence massive PM turnaround, hence they get phished every now and then and so their suppliers).

      1. Anonymous Coward
        Anonymous Coward

        Re: Around 70

        We're now approaching 100 FB members - just since this article was published yesterday pm and growing by the hour.

        We have not been allowed to post anything about the FB page on the VM forum. Those posts would be deleted and/or user banned from the forum. So the hard work to reach people who were targetted with this without access to the obvious place has been an uphill battle. Now, at least, we can post the link to this article on the forum, which then holds a link to the FB group. Virgin can't do anything about that.

        Channel 4 News are also keeping an eye on this issue. The Register just happened to be the first to mention it (Thank you John Leyden!).

    2. nigeb

      Definitely VM

      When this first happened I figured out for myself that it was spoofed email, not being sent from my own account. But I downloaded my entire email database and searched it for received email addresses - and sure enough the long list matched up with what was in the bounce reports that I received. Note that this isn't a contacts list, it's way more than that.

      So without a doubt someone had access to my email and was able to mine it for addresses. I know you can never be perfectly secure but I do have up to date security software, patches etc. So I feel justified in pointing an accusing finger at VM.

      Virgin's assertion that we "might not have seen" previous attacks due to the configuration of the new mail service is invalid - None of my relatives ever called me to complain before that date. And those on other services such as Sky, also began to see strange emails with my address spoofed at the same time.

      So now my account is being randomly rejected by the smtp server, every time I try to send email it asks me to update my password (on all my devices), then later on it randomly starts working. It's been going on since the breach (could it be a sign of further hacking attempts?) - trying to get any sensible help from their helpline is a waste of time - they didn't seem to understand anything beyond basic client settings and they were confused about which protocols were for send and which for receive.

      I've used that list of email addresses that I extracted to find any & all web sites that I have accounts with over the years and either closed them down or changed the passwords (a huge task) and I've purged the server to avoid any further leaks.

      1. Vic

        Re: Definitely VM

        So without a doubt someone had access to my email and was able to mine it for addresses.

        Although it does sound like the Bad GuysTM have seen an email you sent, that doesn't mean they saw it in your account; there are at least two endpoints for every email unless you're only sending stuff to yourself.

        Spammers have been correlating addresses for years - it improves the hit rate dramatically, as they'll often hit whitelisted addresses.

        I frequently see spam purporting to be from one of my addresses, going to another of my addresses[1]. Spammers have not been inside my mail server - I watch it like a hawk.

        Vic.

        [1] It bounces off my SPF milter. Which is nice.

  7. MR J

    de ja voodoo

    I had this happen a long time ago (during the migration to google IIRC). The forums were full of users like me who were seeing spam mail appear in the "Sent" box, sent to emails of those in my/their inbox, sent box, and website address book. They could show me that no one had logged in during the times the mails were sent, but sadly they said it must have been me and I must have been compromised. I used a random generated password (letters and numbers) that was 11 digits long, everything was IMAP/SSL.. It was my primary email attached to my web account too, so it could have reset passwords to about 20 other email addresses but nothing was ever touched... No password resets for Ebay, Paypal, or anything like that was ever sent either...

    Lots of people complained, WG said they could find nothing showing it was them, but I am convinced there was some sort of non-login exploit used.

  8. phil dude
    FAIL

    a long time to fix insecure website....

    I have filed a complaint (via twitter) about their insecure website, after being prompted by the phishingest email that *might* have been genuine.

    They were using weak ciphers up to 4 weeks ago, so maybe they fixed it. There have been complaints from 2014!!. Ah great, can't login because "we have updated our systems"....we'll see if it is fixed...

    When I complained in Jan they tried to take the discussion somewhere "private for our engineers", which I refused to use. What they *meant* was private so that their security failings would not be acknowledged in public.

    This is perhaps the only useful thing about Twitter, being about to post screenshots so a company can't deny it....

    P.

  9. cantankerous swineherd

    email is a complete waste of space. if it's important, they can send me a letter, otherwise text or phone.

  10. Mark Allen

    ntlworld email

    Virginmedia moved their email hosting to Google in 2010. Only had to move it back because Google decided to stop doing ISP email any more. (Or at least that is the story I heard)

    I have all ten of my VirginMedia (ntlworld) ISP email accounts in use. Used on forums like this when I don't need to be tracked back to my own personal or business domains. Or online sites I know will send spam. Or plain don't trust.

    This makes spotting scam emails trivially simple. In my case there are two huge magnets for spam. My ebay\paypal address (probably sold on from EBay sellers, or hacked out of their infected PCs, or plain lifted from the insecure Ebay\Paypal sites). My other spam magnet is the email address on my website - that one is on lots of spammers spam lists.

    Where I don't get any problems is with my own NTL addresses. The only problem ntlworld address I have is one that used to be owned by someone else which I picked up in 2008. That gets some weird spam. Spam that is very common to ntlworld users. I can often contact a small handful of my clients and "compare spam" and find that we have been sent the same spam from the same spammer in the same run. But this only ever happened to that one reassigned address. Never happens to the original accounts I setup in 2003.

    If this hack works on the basis of an address book on the webmail site, then this explains why I have never been hit. BUT if, as is claimed, the scam also trawls the emails in the inbox for addresses then I would have expected to hear something.

    As some above said - 70 reports out of the millions of VM customers does point towards a very small but weird issue.

    Could be worse... just look at TalkTalk!

    1. Anonymous Coward
      Anonymous Coward

      Re: ntlworld email

      This is definitely not anything to do with the individual user. The emails in question are only kept on the Virgin server as some of them are that old and PCs/laptops have been replaced a number of times since. They are also contacts that are in the cc/bcc lines of emails sent and received, not address contacts. Blaming individual users is Virgin's 'defense' but the fact that these email addresses weren't even held on current email clients makes that theory fall down quite hard.

      There has been no attempt from Virgin to exonerate themselves either by showing proof that this DIDN'T happen. There has only been the standard response which they posted in October and that is what they have been referring to since. No amount of cleaning up your PC or changing your password would have done anything to help this issue.

      The FB group is now approaching 100 - just since this article was published. More people are starting to find it!

      1. Phil Kingston

        Re: ntlworld email

        There's a few factors involved, but changing PC's doesn't (generally) mean that the emails are removed and then only available on VM's servers.

      2. Vic

        Re: ntlworld email

        This is definitely not anything to do with the individual user. The emails in question are only kept on the Virgin server as some of them are that old and PCs/laptops have been replaced a number of times since

        That means nothing. Spammers keep target lists for a *very* long time. I still see attempts for addresses I retired a decade ago, as well as long-lived, recurring attacks against addresses that have never existed (there are some clear typos, indicating that some addresses are hand-typed into lists, some are snaffled using faulty scripts).

        I'm not saying the VM isn't the problem - but the data you're presenting does not support the conclusion you're drawing.

        Vic.

  11. 53m

    I'm one of the affected users. My 'smoking gun' and response to some of the comments on here is that I moved away from my Virgin Media account along time ago and do indeed use emails hosted on my domain. However I have always forwarded on my NTLworld emails to my main address.

    I hadn't logged into my virgin media email for well over a year. An old laptop did have SMTP and imap details for the account but that had not been turned on for a good 3 months before the spoofing started and the other accounts on that laptop were and are unaffected.

  12. Delores
    Holmes

    Ntlworld, blueyonder, virgin.net spoof

    Hi, I am one of those people affected by the issue. I do not normally post on fora but this issue has concerned me greatly. The people the spoof emails were sent to were held inside old emails as cc's and bcc's. They were not in any contact lists and had not been contacted directly by the customer. it started happening when VM moved platforms. There are currently 80 people in the FB group and it is growing as people start to hear about it.

    We are not saying VM has caused the breach, but there has been a breach and we would like to know how and what has been taken.

  13. Doctor Syntax Silver badge

    Obvious questions

    When they migrated between services did they outsource the work? Seems likely - I can't see their beancounters letting them have enough in-house staff to do it.

    To who was it outsourced?

    And in which country?

  14. Anonymous Coward
    Anonymous Coward

    I've seen the exact same spam content, subject lines, etc from Yahoo! customers, Hotmail customers and our own customers.

    Basically, someone had a drive-by nasty that used XSS to harvest their address books. Nothing new under the sun here guys :P

    1. Delores

      Virgin Media spoof email mystery: Customers take to Facebook

      Anonymous Coward

      So you think it is alright for a drive-by to harvest? Don't you want to know how and why? Doesn't it concern you? Have your emails been infiltrated and the contents harvested?

      1. doubledrat

        Re: Virgin Media spoof email mystery: Customers take to Facebook

        if its as you say how come the spoofing started in Set/ Oct and fresh cases seem to tailing off now. If it is as you put it ", the spoofing would be consistent surely?

  15. doubledrat

    facebook group numbers

    no one get hung up on the low facebook group numbers. This is the tip of the iceberg. Vast majority of subscribers dont do forums and wont find the FB page. Many wont even know they've been spoofed and many won't care. Do the sums - VM has 4.2M subscriber base. For every single FB user in the FB group multiply x (choose a figure) to arrive at total number of users affected by spoofing in the UK. Remember 4.2 million subscribers is ALOT of people. Make it 50 for every 1 person gone public and thats 4300 user affected by spoofing. X100 = 8600 affected and so on.

    1. andreas koch
      Paris Hilton

      @ doubledrat - Re: facebook group numbers

      What a coincidence: That's exactly the formula that the jobcentre uses to work out the number of available jobs.

      But seriously now, what difference to randomly picking a number does your example make?

      1. doubledrat

        Re: @ doubledrat - facebook group numbers

        sure by some magical means, the only people affected just happen to be people that use Virgin Media Community Boards......

    2. Down not across

      Re: facebook group numbers

      Some also wouldn't touch FB with bargepole.

  16. EnviableOne
    FAIL

    NTHell, Teleworst and Virgin Mumble

    Personally I think it all goes back to how VM was formed, the worst parts of Telewest and worst parts of NTL were hastily merged together, and part way through the process they thre the worst parts of virgin mobile into the mix.

    If the mergers had been done properly, the customer service would be great, the tech team would be greater, and they would never have had to use Gmail in the first place.

    But it does look as if an email store was intercepted "in transit" from gmail to VM that has caused the issue, but given the CustServ organisation are from NTL, and senior managment still havent changed, I doubt they will ever admit to it.

    1. Vic

      Re: NTHell, Teleworst and Virgin Mumble

      If the mergers had been done properly

      That was never going to happen.

      Project Harmony was the attempt to unify the various systems involved. It was actively opposed by the former bosses of the bought-up companies, who still believed themselves to be the heads of their own respective fiefdoms, despite having sold the company...

      But it does look as if an email store was intercepted "in transit" from gmail to VM

      That is one possible cause. It is far from the only one. It wouldn't be where I would start investigating.

      Vic.

      1. doubledrat

        Re: NTHell, Teleworst and Virgin Mumble

        Vic, interesting comment - where WOULD you start investigating???

  17. David Lawrence

    Same thing just happened to me....

    ......yesterday. The only difference is that I don't use Virgin. I use Yahoo Mail. Someone/something appears to have obtained my yahoo contact list, and spoofed emails to everyone on that list. The emails claim to be from me, but from a weird email server (vait.se). It's the same old 'click this link' thing. I have checked and according to Yahoo's records, no-one has accessed my email account but me, from my computer and phone. The emails were sent at 2pm yesterday, when my pc was off and my phone was not connected.

    So I have to conclude that the clever b'stards somehow managed to pull my contact list somehow. If that is right then I don't think there is anything I can do, apart from abandoning Yahoo and using something else instead.......Gmail? Any suggestions?

  18. This post has been deleted by its author

    1. Phil Kingston

      Re: Virgin Media spoofing and data breach

      I don't see any haters?

  19. David Roberts
    Boffin

    Seems fairly obvious

    From the postings of victims so far it does seem pretty obvious that some VM customers have had their mail stores stolen or at least analysed in depth.

    Given that some of the victims haven't used web access for some time this is unlikely to be a recent browser exploit (unless perhaps they have their account passwords stored long term in cookies).

    So either the mail store data has been compromised, or credentials from other modes of access such as IMAP/POP3 have been intercepted. Or possibly the users have re-used passwords which have been stolen elsewhere (not top of the obvious list).

    If people have not even logged into the service recently via any means (I can't remember if Virgin offers auto-forward to another account) then this does point to a chunk of the mail store falling into the hands of spammers.

    Reaching this tentative conclusion from the information posted so far in the thread is not rocket science. Any reasonably competent email (or IT in general) professional could reach a similar conclusion. However do VM have many on the books, and would they use them if they had? Denying responsibility is easier than investigating and finding something unpleasant.

    As it happens I have ntlworld email accounts which are still active, although not very much, and fortunately I haven't seen any SPAM activity so far. This seems to suggest that not all addresses are compromised (or that the spammers are just cherry picking).

    A professional ISP would work with the customers to try and establish any common factors - such as which tranche of migrations they were in, or if the were all blueyonder cutomers. It seems as though this isn't the modern way, though.

    Hope that the action group can isolate a common factor, but it will be hard without VM cooperation.

    Date of migration might be interesting; from the notification emails I have received as far as I can remember not all my accounts migrated at the same time.

    1. Vic

      Re: Seems fairly obvious

      Reaching this tentative conclusion from the information posted so far in the thread is not rocket science. Any reasonably competent email (or IT in general) professional could reach a similar conclusion.

      Any competent IT professional would realise that there are several ways for this to have occurred, and would be gathering data to attempt to prove/disprove hypotheses, rather than jumping at the first conclusion drawn.

      For my money, this looks too small to be a VM breach. It bears the trappings of a standard address-correlated spam attack. I have seen many of those, across many different email providers. That's not to say that it couldn't be a VM breach - just that the data presented so far doesn't come anywhere near proving one.

      Vic.

  20. Stuart Abbott

    No seen this issue...

    Hmm as someone with a number of very old blueyonder email addresses I've not personally seen this issue.

    When VirginMedia moved away from google one of those accounts did experience (and continues to experience) a lot more spam than it used to, but no sign of spoofing and certainly no returns from addresses sent to.

    It doesn't seem to be a systemic issue, but that could be down to a hack only affecting a number of accounts instead of all.

  21. Anonymous Coward
    Anonymous Coward

    Virgin Media locking some accounts until user resets password

    This week Virgin Media has been locking some email accounts until the user resets the password,

    http://community.virginmedia.com/t5/Announcements/Email-help-links/td-p/3060914

    How many accounts and why?

  22. Anonymous Coward
    Anonymous Coward

    Reports of Virgin Media spoofees continue

    The number of reports from holders of Virgin Media accounts who are troubled by spoofed message being sent to lists of their correspondents continues to grow. There are new cases every month.

    http://wardinewrock.blogspot.com/2016/05/virgin-media-spoofing.html

    The Facebook group remains active and has more than 240 members at the current time.

  23. SidF

    I've been getting spoofed emails from a contact with a blueyonder address for about 6 months now, at the rate of 1 or 2 every 3 months. I understand the person has changed his/her bluyonder login password several times and this does not stop the spoofed mails from being generated. I'm not sure how blueyonder is part of Virgin Media's stable of email domains but previous reports in the internet say that it is housed/run by Virgin as is ntlworld. Presumably if this was just a one off leak of some addresses and contact lists, then there is no way of stopping the spoofing in the future should the spoofers still be in business?

  24. sayling

    Potential dissent is not tolerated

    Sadly, it appears there is some group inspired hysteria on Facebook amongst the excellent detective and monitoring eureka being done.

    Being someone who is currently being spoofed, I joined to provide and give assistance and support, but have now been removed - and I can only surmise it was because I posted a point of view a little contrary to what the group now believes to be the problem

    1. Delores

      Re: Potential dissent is not tolerated

      Please join again, I'm not sure what dissenting you did.

  25. Delores

    Still more customers coming forward who have had their data breached since the change of platform. The Facebook Group is nearly 400 with more joining every day. The information that was harvested was not in any contact list, it was contained in archived files on VM's system. They were people who were cc'd into emails received and sent. This indicates to me, I am sure I will be corrected if I am wrong, that someone has had to open individual emails to get this information. What other information could they access?

    VM continues to ignore the issue and tell people to change passwords.

    Since the move of platform VM's community forum is awash with unhappy people; spam is endless, businesses are unable to email VM addresses and the data breach.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like