Anatomy of a Breach

Anatomy of a Breach: News of the World — Phone Hacking, Voicemail PINs, and the Leveson Inquiry

> series: anatomy_of_a_breach —— part: 031 —— target: thousands_of_voicemail_accounts —— method: default_pins —— consequence: newspaper_closed<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2011 13 min read
phone-hacking news-of-the-world voicemail uk-scandal leveson-inquiry default-pins communications-security series
Breach #031

They dialled the voicemail. The PIN was still the default.

The News of the World phone hacking scandal was not a cyberattack in the conventional sense — there were no servers compromised, no malware deployed, no vulnerabilities exploited in software. Instead, journalists and private investigators working for the News of the World, a News International (now News UK) newspaper, systematically accessed the voicemail accounts of thousands of people by exploiting the simplest of security failures: mobile phone voicemail systems protected only by default PINs that users had never changed.

The scale was staggering. Victims included celebrities, politicians, members of the Royal Family, crime victims, and — most shockingly — the family of murdered schoolgirl Milly Dowler, whose voicemail was accessed while she was still missing, giving her parents false hope that she was alive. The revelations, which had been building since 2006 but reached a crisis in July 2011, led to the closure of the 168-year-old newspaper, the Leveson Inquiry into press ethics, criminal prosecutions (including the imprisonment of former editor Andy Coulson), and a fundamental reassessment of communications privacy in the UK.

How It Worked
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Default PINs and remote voicemail access.

The 'hacking' technique was devastatingly simple. Mobile phone voicemail systems allowed remote access — users could call their own number from any phone and enter a PIN to listen to messages. The PINs were typically set to a default value (such as 0000 or 1234) by the network operator, and most users never changed them. By calling a target's mobile number, selecting the voicemail option, and entering the default PIN, anyone could listen to private voicemail messages.

Default Credentials — The Universal Vulnerability
The phone hacking scandal is the most high-profile example of default credential exploitation in UK history. Default PINs on voicemail systems are no different from default passwords on routers, IoT devices, or administrative interfaces — they provide a known, shared secret that is trivially exploitable. Our <a href="/blog/from-the-hacker-desk-default-credentials-ics">default credential case studies</a> demonstrate the same principle across industrial and corporate systems. <a href="/cyber-essentials">Cyber Essentials</a> mandates changing default credentials as a baseline control.
Telecoms Security Was an Afterthought
Mobile network operators had deployed voicemail systems with remote access enabled by default and weak, guessable PINs — prioritising user convenience over security. The operators were not the attackers, but their design decisions enabled the abuse. Our <a href="/blog/sector-under-the-microscope-retail">sector analyses</a> examine how platform design decisions create — or prevent — security vulnerabilities.
Thousands of Victims
The Metropolitan Police's Operation Weeting identified approximately 5,500 potential victims of phone hacking. The breach was not a one-off incident but a systematic, industrialised practice conducted over years, targeting anyone whose private communications had news value.
Criminal Prosecutions and the Leveson Inquiry
The scandal led to the Leveson Inquiry into press ethics, the criminal prosecution and imprisonment of journalists and editors, the closure of the News of the World, and significant changes to how UK law enforcement investigates communications interception offences.
The Lesson

Default credentials are never acceptable.

The phone hacking scandal is the most visible consequence of default credentials in UK history — but the underlying vulnerability is universal. Every device, system, and platform deployed with a default password is vulnerable to the same exploitation. Our infrastructure penetration testing systematically checks for default credentials across routers, switches, firewalls, printers, IoT devices, management interfaces, and application platforms. We find them in almost every engagement.

Cyber Essentials certification requires that all default passwords are changed before deployment — a control that, had it been applied to voicemail PINs, would have prevented the entire phone hacking scandal. For ongoing monitoring that detects the use of default credentials on your network, SOC in a Box provides continuous vulnerability detection. And for incident response when communications interception is suspected, UK Cyber Defence provides the forensic investigation capability.

Default Credentials

The News of the World was shut down because of default PINs. Have you changed yours?

Our <a href="/penetration-testing/infrastructure">penetration testing</a> checks every device on your network for default credentials. <a href="/cyber-essentials">Cyber Essentials</a> mandates that defaults are changed. Because the most expensive breach in UK media history started with a four-digit PIN that nobody bothered to change.

Commission a Penetration Test Next: Operation Shady RAT
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2026

Anatomy of a Breach: European Commission and Stryker — EU Government Cloud Attacked and Iran-Linked Group Hits Medical Technology

Breach #207. March 2026 brought attacks against both government and healthcare infrastructure. On 24 March, the European Commission disclosed that a cyber attack had struck the cloud infrastructure hosting the Europa web platform — with data taken from affected websites. The full scope remained under investigation. Separately, medical technology company Stryker experienced a significant cyber attack linked to an Iran-aligned hacktivist group. The attacks demonstrated that government cloud platforms and medical device manufacturers — both critical to the functioning of society — remain persistent targets for nation-state and hacktivist groups.

european-commission stryker
13 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 31 January 2026

Anatomy of a Breach: Match Group and Eurail — Dating Platform Intimacy and Passport Data Both Exposed

Breach #205. January 2026 opened with two breaches exposing the most personal categories of data. ShinyHunters claimed the theft of over 10 million records from Match Group — the parent company of Tinder, Hinge, and OkCupid — reportedly accessed via social engineering of Okta SSO access and downstream marketing tools. The leaked data allegedly included user IDs, IP addresses, subscription details, and internal corporate data. Separately, Eurail disclosed that attackers had accessed its environment and copied data including names, contact details, travel companion details, and passport information — numbers and expiry dates — for an undisclosed number of customers. Dating preferences and passport data: two categories of personal information that people expect to remain private.

match-group tinder
13 min read
All Posts Get in Touch