This afternoon Talktalk Technical Support phoned me to apologise for giving out my password! Over Christmas my email had stopped working and I called to check why and they "reset" my account somehow and I agreed a new default password. I tried logging in afterwards to the online account manager but had lost the password they send you in the post to set up your account and after hanging on the 0870 number for a couple of minutes I gave up and left the password as their default random looking one. It turns out that a new customer in January had been given my email account details and the password as their account. Consequently that customer has been logging into my email account over the last few weeks, probably thinking that email to me was spam and sending email from my address!
I can't believe that a company can be so cavalier about customer privacy. Needless to say, I've gone online and changed the password again from the new one agreed on the phone.
Lessons learned:
- Never send anything confidential by email unencrypted (at least put a password on a document)
- Always change passwords from defaults or if given temporarily to someone else
- Stick to more secure mixed numbers and letters passwords of a decent length (8 characters or more), a tool like Sxipper can be helpful if you have to keep switching between accounts
- If it's important then digitally sign it
- Expect companies (like Carphone) to give away your details by accident and know who to contact if you think something has been compromised