In the mean time, Talk Talk advise their customers that there is "no need" to change their passwords: http://www.bbc.co.uk/news/technology-38223805

Unfortunately some vendors are more concerned about not admitting mistake.

Now, technically if they don't use the admin password they are probably OK. But (A) most people don't change their password. Heck, I work in IT Security and I still have admin passwords on some of my devices! (B) It's always good practice to change passwords ... just in case.

What exactly do you expect from an ISP that can be hacked by teens? I find it more unbelievable that TalkTalk still have customers: "95,000 subs left after hack – 94,000 joined in last six months", "firm reveals £22m profit jump" [0].

Granted, it's difficult to say how much better other ISPs are. But come on.

[0] http://www.theregister.co.uk/2016/11/15/talktalk_h1_fy2017_r...

Does TR-064 only affect ISP provided routers? The way I understand it, it seems this would be the case.