This report is yet to be verified, however a better question to ask is whether or not Plusnet has started using 2-factor authentication and if not, why not? Passwords by themselves will always be the weak link, because non-technical users (i.e. the majority) will default to using words and phrases that they can remember, which often is a family name. This is easy for hackers to exploit and more attention needs to be taking care of the basics.