I've recently joined TPG and had to go through the "forgot your password" process only to then have my own password sent to me! They must be stored unhashed in the database, big time security concern given how many database dumps seem to find their way onto the internet these days.
Keep in mind alot of people either use a common password for multiple accounts or use a common theme between passwords.
eg.1 - a mobile phone number porting attacker ( extremely easy to pull off in Australia ) could just request your password from TPG with no 2nd factor authentication, and be sent it to the ported phone.
eg.2 - attacker knowing a target, sends the request through TPG for a password to be sent to target's phone, after the msg is recieved attacker asks to borrow phone to make a call - job done.
eg.3 - your email is hacked and they know your email acct password, they can send a request from TPG for a password and get it sent in plaintext, they now know 2 passwords and can start building a common picture between passwords, next stop banking or other email accounts.
While these at first glance seem extreme - hacks like these occur every single day here in Australia to all ranks of people, and very poor security policy from such a big Internet provider is not helping the case.
Welcome to the Community!
We appreciate your feedback and please be assured that we have taken this into account.
Measures were taken to improve the security of the "Forgot Password Tool" and the update has been applied today.
Should you require any assistance, feel free to drop us a message. Cheers!