TalkTalk
TalkTalk customers' Wi-Fi passwords were stolen in last week's cyberattack, a security expert has claimed. Carl Court/Getty Images

TalkTalk customers' Wi-Fi passwords have been stolen following a massive cyberattack last week that left some Post Office and TalkTalk customers without an internet connection, a security expert has warned. However, a TalkTalk spokeswoman has said the company has not seen any evidence so far to confirm the threat.

According to Ken Munro, a security researcher at Pen Test Partners, customers' passwords could have been stolen from faulty routers which could potentially allow malicious hackers find out additional sensitive information about customers including where the equipment is being used.

"The Wi-Fi password protects all of the traffic on your home network so if a hacker has got the key, they can get onto your home network and see all of the traffic on there, including social media accounts and other passwords," Munro said, The Telegraph reports.

He added that more than 50 different brands and around 10 million routers could be vulnerable to the issue.

Last week, certain types of routers were targeted by a modified version of the Mirai malware that spreads through hijacked computers and damages devices running the Linux operating system in order to knock services offline. A similar attack was also used to disrupt the internet connection of up to 900,000 German Deutsche Telekom customers in November.

In a blog post, Andrew Tierney, a security consultant at Pen Test Partners wrote that the TR-064 security hole exploited last week by hackers using a modified version of the malicious Mirai worm could also be used "for more than just recruiting the router into a botnet."

Although TalkTalk did release a fix for the vulnerability, it simply disables the TR-064 interface and reset the router and its password back to the default one written on the back of the router.

"Nearly all customers never change their Wi-Fi key from that written on the router," Tierney wrote. "Why would they? I'll bet that many don't even realise they can. So, the Annie worm and hackers have already stolen their Wi-Fi keys, and the TalkTalk fix simply resets the router to the exact same keys that have already been stolen."

Using one of the affected routers to study the threat, Tierney said that his "honeypot" router was targeted by a hacker attempting to steal their Wi-Fi network key using the 'GetSecurityKeys' command.

The researcher noted that a cybercriminal would have to be physically close to the vulnerable router in order to compromise the Wi-Fi. However, he warned that if the hacker has a customer's Service Set Identifier (SSID) code, which was erringly disclosed by affected devices in last week's attack, it could be used find out where the equipment and customer's home is located using online tools such as Wigle.

Tierney said that unless TalkTalk and other firms can prove that their customers' Wi-Fi keys have not been swiped, they must replace customers' faulty routers "urgently."

However, TalkTalk said it has not seen any evidence to suggest that that its customers' routers are unsafe and passwords have been stolen in the cyberattack.

"As is widely known, the Mirai worm is affecting many ISPs around the world and it has affected a small number of TalkTalk customers," the spokeswoman told the BBC. "We continue to take steps to review any potential impacts and have deployed a variety of solutions to ensure customers' routers remain safe.

"We have also employed additional network-level controls to further protect our customers."

The spokeswoman said that although some TalkTalk customers who contacted the company have been asked to change their Wi-Fi. However, the company's security team reportedly believes that to be an unnecessary step now.

In October 2015, TalkTalk was hacked in a massive cyberattack that resulted in the theft of nearly 157,000 customers' details. The cybercriminal also accessed bank account details and sort codes in another 15,600 cases. The company was recently hit with a record fine of £400,000 ($509,860) by the Information Commissioner's Office (ICO) over the 'easy' hack.