Vodafone Blames Successful Hacking Attack on Customers Who Use Weak Passwords

Failure to set up strong passwords has yet again been proven to affect users in an extremely negative way, and this time these are the Vodafone customers. According to idnes.cz, two hackers (Petr Bužo and Nikola Horváthová) based in Czechia have been identified and put behind bars already for illegally accessing Vodafone customers' accounts and stealing their assets by transferring them to their own betting accounts. Unfortunately, this is not the end of the story, and now the company is fighting its own customers because it claims that they are the ones who need to cover the costs of the data breach. Vodafone blames the customers for using a password that helped hackers get into accounts and steal the money. In this report, we try to make sense of this complicated story, and we provide tips that should help you create a strong password, stop hackers from guessing passwords, and avoid painful data breaches in the future.

How did hackers get into password-protected Vodafone accounts?

The answer is truly cringe-worthy: they successfully hacked accounts whose users used 1234 as the password. Although it would seem like that wouldn't get anyone far, Petr and Nicola managed to steal 667,000 Czech Crowns from at least 60 unique accounts, which converts to around 26,000 EUR or 30,000 USD. The most shocking thing is that the scam started over a year ago now, on the 2nd of April 2017. Hackers managed to hack into a foreign account first, and it is likely that that wasn't the last time, considering that Vodafone operates in 25 countries, and it has partners in 47 others too. The two criminals would order new SIM cards at an online self-service shop, and since they could provide legitimate phone numbers and passwords, further identification was not required. Once schemers obtained and activated the cards, they could then send “premium SMS” messages to gambling services to transfer money to the game accounts at Tipsport and Chance. After that, schemers could go to any betting office to make bets and launder the stolen money.

Why does Vodafone expect its customers to cover the losses?

Vodafone claims that users are the ones to blame for the attack because of their poor security practices, but the customers are in shock because they claim they did not even know that they had a password or that they had access to a self-service shop at all. The crazy thing is that, apparently, Vodafone itself can pre-set a numerical password for the self-service portal, which suggests that the security issue roots down to the company itself. Although customers have been setting up their own six-digit Vodafone passwords for the past 6 years, the compromised accounts were created before 2012, and it is no wonder some victims did not even remember or know about the existence of the pre-set Vodafone password. And the things could have been much worse than they are now! If schemers were able to link a password to an existing phone number, they could have gained access to personal information and perform identity theft. This did not happen, but it only makes one wonder if Vodafone would have blamed its own customers if their personal identities were stolen too. At the moment, however, the company wants customers to take responsibility, and in an official statement, it claims that it is their responsibility to set up strong and unique passwords.

This isn’t the first time Vodafone customers’ data was breached

Back in 2015, personal details of nearly 2,000 customers based in the UK were stolen. In this case, the breach occurred when attackers obtained Vodafone passwords and email addresses from an “unknown source.” Clearly, the company has had issues regarding online customers' privacy, and it was not able to ensure it in the past. In 2013, a data breach was to found to have affected 2,000,000 customers in Germany as well. Although the company then claimed that the data stolen by attackers could not have been used because Vodafone passwords, phone numbers, and credit card details were not stolen, this further proves that the company has issues. Even if customers are to blame in the latest data breach for not upgrading weak passwords, if schemers and hackers find an opportunity, it should not be hard to crack six-digit numerical passwords using brute-force attacks anyway. Hopefully, this does not happen, and Vodafone takes appropriate measures to ensure that data breaches are not only uncovered on time but also stopped before they even begin. In the meantime, users have to be cautious.

How to stop hackers from guessing passwords

Even if Vodafone might be wrong in its battle against its own customers, the company has one thing right, and that is that you need strong and unique Vodafone passwords to protect your accounts. If you want to stop hackers from guessing passwords, you have to make sure that they are impossible to guess in the first place. That means that 1234 is not a good password. In fact, it might be the worst one you could be using, and if your Vodafone password was set up before 2012, we suggest changing it ASAP. Even if you do not think you have access to self-service portals, you must check that and make sure 1234 is not the passcode that could enable hackers to obtain access to your account. Putting your birth date or another significant date into the numerical Vodafone password is not a good idea either. What you should do is create a completely random number, and it should be as long as you are allowed to make it.

If you are afraid you would not remember the password, do not even worry about it. Just install a trusted password manager, and use it to keep your passwords safe. You can even use a password generator if you need help creating a completely random password. And to make sure that hackers are stopped from guessing passwords, don't forget to change them frequently.