TalkTalk kept my email account active for 8 years after I left – now it's spamming my mates
But ISP won't nuke nuisance without proof of ID
Updated TalkTalk has refused to delete a former customer's email address which was taken over by spammers – because the unfortunate person cancelled their contract eight years ago.
The customer, Joanne, was contacted by her friends after they started receiving spam from an old email address of hers. After digging out the account details, she found that she was able to log in – suggesting that her password had been brute-forced by the spammers.
While she was able to log in, the webmail interface provided by TalkTalk did not allow her to change her password. To do that the user has to log into the separate TalkTalk account portal, which you cannot do if not a current customer.
A Reg-reading friend of Joanne's, Daniel Gibbs, then had a look at her account. He told us that once the spammers had cracked the account password and harvested the contents of the address book, they began "sending out emails to the harvested email addresses – in this case the emails look more genuine than usual as the emails contain the subject line from a previous conversation. The emails contain a URL disguised as a hyperlink to a .pdf or .img file".
In emails seen by The Register, TalkTalk refused to take any action unless Joanne posted two separate proofs of her identity to TalkTalk's Salford HQ.
"Unfortunately we can not act on your query as you no longer have an account with TalkTalk," a customer service advisor said in an email to her. "Please contact your services provider so that they will help to investigate on your issue or request for a IT to look into this issue to come up with a resolution." [sic]
Gibbs commented: "Personally I would not be prepared to send two forms of ID to a company which has no current formal relationship or contract with me, and additionally has a track record of being catastrophically inept in protecting the data of its customers."
The Register has passed full details of Joanne's case to TalkTalk. The ISP acknowledged receipt but has not yet sent us a statement about why it refused to delete her account when she asked them to. Nor had it explained why a customer account that had been inactive for eight years wasn't deleted after the customer walked away.
Gaining access to a legitimate email account is a valued thing for spammers, and sending attachments to recent email conversations is one convincing method of getting past anti-phishing awareness training ("Do you know this sender? Have you interacted with them before?"). In this case it was pure luck that Joanne's account had been inactive for eight years and that recipients of the booby-trapped attachments knew instantly something was amiss.
The standard advice is never to open unsolicited attachments unless you know the sender and are expecting their email. Verifying that someone really has just sent you a file titled
compromising-pics-of-the-boss.pdf takes mere seconds in this day and age. ®
TalkTalk contacted The Register five hours after this article was published. A spokesperson said: "We are sorry for any inconvenience Ms Thompson experienced whilst her old TalkTalk email address was still active. The email address has now been deleted." Hurrah!
Sponsored: Becoming a Pragmatic Security Leader