A cyber-security advisor to Europol said he was astounded by the decision by TalkTalk to advise users that there was "no need" to change their routers' settings, when they should at the very least have changed their passwords.
A spokeswoman for TalkTalk said that customers could change their settings "if they wish" but added that she believed there was no risk to their personal information.
A variant of the Mirai worm was found to be causing several makes of routers to stop working properly, and in a second attack, forced the hardware to reveal its wi-fi password.
Hackers would not be able to use the credentials to carry out a mass attack from a distance, but they could drive through the streets searching for a match. When found, they could investigate a user's data, or mount an onward attack.
Security experts also said that even if the risk to individual users was no higher than using a coffee shop's open wi-fi network, they still felt TalkTalk was giving the wrong advice around passwords.
The company was fined £400,000 last month by the Information Commissioner's Office for a previous breach, that led to the theft of nearly 157,000 of its four million customers' personal details.