Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch ISP Discovers 140,000 Customers With Default Password

Posted by timothy on from the remove-fingers-from-dike-and-type-new-one dept.

bs0d3 writes "In Holland, a major ISP (KPN) has found a major security flaw for their customers. It seems that all customers have had the same default password of 'welkom01'. Up to 140,000 customers had retained their default passwords. Once inside attackers could have found bank account and credit card numbers. KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security."

4 of 99 comments (clear)

  1. Verizon online by Anonymous Coward · · Score: 5, Interesting

    had to ban the password abc123 on thier ADSL network years ago..

  2. Once upon a time... by Mr.+Firewall · · Score: 5, Interesting

    When I was a sysadmin at a certain Bible college known for its weak security, I collected the password hashes of the students & faculty and ran them through a cracker (John the Ripper if I remember correctly), then sent out a mass email with the decrypted passwords, sorted by the amount of time it took to crack them.

    Yeah, the majority of them were cracked within five seconds. Of course, I omitted the information on just whose passwords they were.

    Dunno if it resulted in anyone actually doing something about their passwords though.

    --
    In times of universal deceit, telling the truth gets you modded -1 Troll
  3. Re:It's the ISP's fault by Anonymous Coward · · Score: 5, Interesting

    Further, why was the credit/bank information displayed in full? Isn't that stuff usually masked out? I think all services that I subscribe too usually just show the last 3-4 numbers of the account information, for this reason (in case login credentials are stolen).

  4. Re:It's the ISP's fault by tlhIngan · · Score: 4, Interesting

    They are not responsible for their hopefully grown-up customers that are all obviously trusted by the banks to have credit cards.

    Sure, they should have known better than to trust users to change their passwords, but some people need to learn the hard way. At most, this means a few weeks of sleepless nights for their PR-department.

    OTOH, I wonder if all 140,000 customers who used the default passowrd actually USED the account? It sounds like it was a customer service portal thing - not something they normally login with. For those people, they probalby managed their account by phone rather than thinking to log into the customer service potral and do all their changes there?