Many Malaysians are unhappy with the expensive Streamyx broadband charges offered by TM (Telekom Malaysia) because other countries offers faster connection for a cheaper price. As for me, I am just happy that we have broadband and is fine to me as long as the connection is stable. From time to time we will experience slow browsing while accessing international websites because of some line broke down and they had to reroute all traffic through another link. Another common problem with Streamyx is some users is unable to connect at all which can be either caused by some glitches on their system or probably someone is illegally using your account.
The fact is a Streamyx account cannot be used simultaneously. So if you are already connected to Streamyx broadband, someone that knows your account username and password won’t be able to connect using your account information. When you are in a situation that you cannot connect, dial 100 from your landline and ask the customer service person to check if the account is currently being used. If yes, I would advice you to change your password at TM’s Selfcare website rather than asking the customer service person to change it for you.
To change your Streamyx account password:
1. Visit TM’s Selfcare website at https://tmbill.tm.net.my/
2. Enter your Streamyx username (without the @streamyx), password, IC number and make sure that Streamyx is selected on the service drop down menu. Click the Login button.
3. At the Account Management, click Change Password.
4. Enter your old password, followed by your new password and click the Update button.
The big question is how did someone got hold of your Streamyx account? Actually it is pretty easy. I am not sure if TM still gives out the default password tmnet123 but they used to do that. Anyone can simply guess a username and use the password tmnet123.
There is another method which I recently thought of after reading a post by scriptop in forum saying that there are people selling hacked streamyx account. You can read the posts on why the hacked Streamyx accounts are sellable. Basically this method involves accessing the routers provided by TM using the default password and then using a third party tool to reveal the hidden password behind the asterisks. I tried it myself and I am able to obtain a Streamyx account in just less than a minute. No step-by-step tutorial but I’ll just provide a screenshot on how it works.
SoftPerfect Network Scanner looks for possible routers that has open port 80 for web browser management
Attempt to login using router’s default password tmadmin, support, tmuser, admin, password etc.
BulletsPassView shows the hidden streamyx password behind asterisk
How many are vulnerable? I tested an IP range (1-255) and there are 82 online hosts. Only 44 with port 80 open, 22 of the routers are using the default password. There are 1.7 million Streamyx subscribers, you do the math.
There are a few things that TM can do to avoid Streamyx account being stolen so easily. Firstly disable remote router management by default. If they need to have that enabled, then at least include a printed card guiding the user how to change the router password after setting it up. Finally stop being lazy and give unique password instead of a default password. To the person that is selling stolen Streamyx accounts, if the law don’t get you, karma will.