Facepalm: Equifax Allegedly Used ‘Admin’ As A Password For Employee Web Portal
Equifax last week disclosed what some are considering to be the worst security breach ever, not because of the sheer number of people affected—143 million Americans—but because of the information coughed up. We are talking names, addresses, Social Security numbers, and so forth. Pretty much everything a malicious agent would need to steal an identity and/or ruin someone's credit.
The looming question is how could something like this happen, and the answer is not pleasant. Brian Krebs from KrebsOnSecurity say he was contacted by Alex Holden, founder of Hold Security LLC, who told him that Equifax left an online portal wide open that was designed to let employees in Argentina employees manage credit disputes. The login credentials for this portal was simply "admin" for the username and "admin" for the password.
"Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The 'list of users' page also featured a clickable button that anyone authenticated with the 'admin/admin' username and password could use to add, modify or delete user accounts on the system," Krebs stated in a blog post.
Now this is not to suggest that Equifax unwittingly forfeited private information belonging to 143 million Americans because of a basic password issue. However, it does underscore that a company in possession of some of the most valuable and trusted information it can obtain needs to do some serious work with its security protocol(s).
In this case, logging in to the employee portal reveals a record of each employee in plain text, with a corresponding password dotted out. All that is required to reveal the dotted-out passwords is to right-click on the employee's profile page and select "view source," which displays the raw HTML code behind a website. The passwords would then be visible in plain text.
"A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily," Krebs added.
And that is not even the end of it. From the main page of Equifax's site in Argentina's employee portal is a listing of 715 pages worth of complaints and disputes who at some point in the last decade contacted Equifax by FAX, phone, or email. The site also lists each person's DNI, which is pretty much the equivalent of a Social Security number in Argentina.
The good news is that after being contacted by Krebs about this, Equifax disabled the portal and opened an investigation to see how something like this could happen. However, it's pretty frightening that Equifax's security practices can be this horrid in the first place.
"To me, this is just negligence," Holden said. "In this case, their approach to security was just abysmal, and it’s hard to believe the rest of their operations are much better."