Equifax Had 'Admin' as Login and Password in Argentina

Reader wired_parrot writes: The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations. The breach was revealed after security researchers discovered that an online employee tool used by Equifax Argentina was accessible using the "admin/admin" password combination.

MAGA

Make Admin Great Again

At this point, Equifux is circling the drain. Time for those insiders to cash out.

Re:MAGA

Some of them conveniently sold their stock the day before the big announcement... but of course they had no idea about the breach.

Re:MAGA

[The123king]

Yeh, they're fucked. I've been watching their stock price tumble over the last few days. Maybe by the end of the week i'll be able to buy the remnants of the company with the change i have in my back pocket.

Re:MAGA

[MoarSauce123]

This is what I thought about TJX back then as well. Equifux will have a bad quarter and after that it is business as usual. As security measure they will change the password on Admin accounts to either "God" or "Password123".

Re:MAGA

[pnutjam]

no love for nimda?

Are you shitting me ?

[Ziest]

What kind of moron working at a credit reporting agency fails to change the DEFAULT login and password. ? I hope that clown got fired

Re:Are you shitting me ?

[DontBeAMoran]

username: clown
password: fired

Added to my list of test logins/passwords.

Re:Are you shitting me ?

[wired_parrot]

It gets worse. From the article:

Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. (...) However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name

But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.

Re:Are you shitting me ?

So your default passwords now are correcthorsebatterystaple?

https://xkcd.com/936/

Re:Are you shitting me ?

[chispito]

What kind of moron working at a credit reporting agency fails to change the DEFAULT login and password. ? I hope that clown got fired

You must not get out much. The answer is "all kinds."

Re:Are you shitting me ?

[rogoshen1]

tyler durden might have been right.

Re:Are you shitting me ?

[supremebob]

They shouldn't just fire the admin, but the admin's boss for not having proper security audit procedures in place.

If they actually had an auditor for that branch, maybe they should fire them as well for not doing a basic password audit on admin accounts.

Re:Are you shitting me ?

[Revek]

Shouldn't you be arrested for this level of breech. If you worked at a bank and it was robbed because the security guard always left a door unlocked that would be considered criminal.

Re:Are you shitting me ?

[DivineKnight]

Nonsense. We have the Cloud now, so it's totally cool to use default or easily guessable passwords.

Re:Are you shitting me ?

[Mr+D+from+63]

Shouldn't you be arrested for this level of breech. If you worked at a bank and it was robbed because the security guard always left a door unlocked that would be considered criminal.

I'd at least cut their bonuses in half.

Re:Are you shitting me ?

[ArylAkamov]

I refuse to believe in this timeline. This is a special abstract kind of hell. How much do you think the people that came up with this system were paid?

Re:Are you shitting me ?

[cayenne8]

So your default passwords now are correcthorsebatterystaple?

Nah....I just usually use the same passcode as I do for my luggage.

Re:Are you shitting me ?

[ctilsie242]

Physical security and electronic security are two different fronts. With physical security, if a security guard left a guard unlocked, there is physical evidence. With electronic security, all a company has to say is something along the lines of "hackers will win no matter what, so why bother?" and they will get off with, at best, a stern talking-to.

The past shows this to be true. Ever see a large company actually suffer because of a security breach? Definitely not, especially after they do the PR gambits and demand people sign their life away in return for a few attoseconds of credit monitoring service.

Re:Are you shitting me ?

Argentinian here, I feel there's the need to clarify something: The DNI* thing is a red herring - in Argentina the number is like your name, using of using the DNI number as an enforced password is considered idiotic by normal people's standard

* Documento Nacional de Identidad, literally "national identity document" - it's used to refer to the document itself (it used to be a small book like a passport, nowadays it's an ID card) and the unique numeric identifier associated with the person itself

Re:Are you shitting me ?

I agree. I mostly work at small companies with a few employees and sales in millions not billions. The first thing I do is put better password policies in place.

I once worked with a company that had taken on agile a bit too far. Everything (and I mean every single bit change) had to go through adding a user story to a backlog, then stay there until biweekly sprint planning where it would be estimated according to tshirt size and presented to the product owner which then decided if it should be added to the upcoming sprint, moved back or tossed completely. At one point I had a story about replacing default passwords shot down with the reasoning that it simply did not provide any business value and that we should focus on user-facing features.

They are no longer in business.

Re:Are you shitting me ?

[Billly+Gates]

Nope. It says in the contract with Tata India they can't fire. But hey, they saved money in the sound of mere thousands and helped raise the share price by outsourcing their IT

Re:Are you shitting me ?

[zifn4b]

username: outsourced_clown
password: fired

Added to my list of test logins/passwords.

FTFY

Re:Are you shitting me ?

[Christinagirl1]

A friend of mine just brought up that we should just sell our own information now! LOL, we would be up $20 that way!

Re:Are you shitting me ?

I secure my luggage with a good key-ring, is more difficult to open than most of the small padlocks.

Re:Are you shitting me ?

A friend of mine just brought up that we should just sell our own information now! LOL, we would be up $20 that way!

Its only valuable to the extent that it can be used to manipulate your life. Selling it yourself would make it worth far less than even $20.

Re:Are you shitting me ?

[burtosis]

I refuse to believe in this timeline. This is a special abstract kind of hell. How much do you think the people that came up with this system were paid?

You are right to disbelieve. The world actually ended in 2012, just like the Mayan prophecy said. We have been living in a post apocalyptic nightmare inside the minds of the old ones ever since.

Re:Are you shitting me ?

[Mr.+Shotgun]

I don't see how a "debug mode" or an accident can get passwords located in the code like that, no matter how horri-bad a dev is.

Oh I can see it, some horri-bad dev write a "Select * from users" because that is the only SQL he knows and then finds a bunch of extra fields in his response. And rather than asking someone or googling about selecting fields he then marks all the rest of the fields as hidden. Out of site, out of mind. Only master haxxor ninjas know how to right click a page and select view source.

Re:Are you shitting me ?

[CaptainDork]

No.

Fire the motherfucker who hired that bastard (or bitch, as may apply).

Re:Are you shitting me ?

[crashumbc]

While true, it's at least generally VERY difficult to hide that you've ripped a zipper open...

Re:Are you shitting me ?

[dstyle5]

One... two... three... four... five?

Re:Are you shitting me ?

[CaptainDork]

2012 is close, but no.

When email first hit small business,ca. 1995, I was working at a law firm.

At a meeting, management directed me to stop all unsolicited emails from entering the building.

I explained what spam was, and told them to sue for lack of productivity or something because, fuck it, they were a bunch of goddam lawyers .

We revisited that shit for the next 20 years, off and on.

--

The "end" started when litigation never happened.

Re:Are you shitting me ?

No, Dinugs. If you can't move the clasp because it's been immobilized, remember? That's why you used a pen in the first place.

Re: Are you shitting me ?

[nitehawk214]

Well, he is an idiot.

Re: Are you shitting me ?

[nitehawk214]

It's idiotic and often illegal to use SSN that way in the US. Doesn't stop companies from doing it.

Re: Are you shitting me ?

[KGIII]

You have obviously never used any software that I wrote.

I have formally apologized.

Re:Are you shitting me ?

[lien_meat]

Oh I can see it, some horri-bad dev write a "Select * from users...

If they had hashed, or even encrypted the passwords in the db, then at least they'd not be plain text in the source if they did a "SELECT *...". But no, this was likely shoddy at the very base levels, all the way up into the front end. I shudder to think about it. The full stack was garbage for this to happen.

Re:Are you shitting me ?

[MoarSauce123]

I hope that clown gets a reprimand and the C-level manager in charge of security gets fired. You need to kick out the big heads, not the grossly underpaid and grossly overworked peons in IT.

Re:Are you shitting me ?

[LordWabbit2]

Well in my country we have regulations governing the storage of sensitive data, even before you can start storing it the software has to be certified that it meets (or exceeds) the given criteria for the type of data you want to store. Banking details is right up there next to top level security as far as the regulations are concerned. Worked on sports betting software and was handed the compliance document and told to go through it and make the software compliant where ever it was missing stuffs. This was BEFORE we even tried to get it certified of course, so to stress test it while we waited for them to get around to certifying it (took a year, and a LOT of money) they sent a team to Zimbabwe and they ran it there, since Zimbabwe's got fuck all regulations (or if they do it's not enforced).

To me this should be SOP for all software storing sensitive information.

Re:Are you shitting me ?

[ctilsie242]

My question is... are the regulations enforced? Sarbanes-Oxley comes to mind of regulations that sounded good, but the only time it really got enforced on a public basis, was when someone went over their catch limit fishing.

I wouldn't mind seeing consistency with regs across nations, and some merging of standards (HIPAA, CJIS, FERPA, FISMA, FedRAMP, PCI-DSS 3.2.) Of course, some things can't overlap, but most of the stuff can. Have the certification be done by a fair third party, like a UL listing, but for security.

Re:Are you shitting me ?

[Revek]

Having a username and password of admin/admin is the equivalent of leaving the door unlocked. Its in TFA.

Negligence does not get more gross

[gweihir]

This needs to be treated and punished the same as intent.

Re:Negligence does not get more gross

[DivineKnight]

Kind of an Oprah moment: "You get a pink slip, and you get a pink slip, everybody gets a pink slip!"

Oops?

[thegreatbob]

Yep, oops.

Jesus F*ing Christ!

[bjwest]

If this turns out to be true, everyone from the CTO to the entire board of directors needs to go prison for a very long time and their entire net worth distributed to the people affected by this. I'm not talking country club prison here either, I'm talking real prison where poor criminals go. And no class action where the lawyers get it all, but an outright equal distribution to everyone affected. Then the class action can come in and take the rest of the companies assets and pass out the $5 gift cards and the millions to the lawyers.

Re:Jesus F*ing Christ!

[Chewbacon]

But they won't. They'll get a $300 fine when adjusted to the average individual's income. Cost of doing business! Let's fuck over some more people!

Re:Jesus F*ing Christ!

[Christinagirl1]

Agreed! But sadly, this is a common theme. Just look at shodan. What a f*ing mess. The majority of companies don't care. They figure they can mitigate the risk. You know, if it costs 1mill to manage and they would only be sued for 100k if caught within a 1 year period ...it's acceptable. I think EVERY SINGLE American should freeze their credit and file a suit against them.

Re: Jesus F*ing Christ!

[nitehawk214]

And any fine they do get will get passed on to the public in order to preserve the executives bonuses.

Re: Jesus F*ing Christ!

[david_thornley]

Companies can't pass atypical costs onto the public. If the company could get more out of the public, it already would have. The costs get pushed back to the stockholders.

Amazing!

[computational+super]

That's the same combination I have on my luggage!

Re:Amazing!

[computational+super]

I tested it on your home router, too. Confirmed.

Sheer incompetence ...

an online employee tool used by Equifax Argentina was accessible using the "admin/admin" password combination

If this is the kind of internal stuff they have, they have no fucking business holding other people's data.

This is about as incompetent as you can get. Like epic incompetence. You're fired kind of incompetence. You should never have another fucking job in the industry kind of incompetence.

It will be hard to shield themselves from liability with that level of stupid.

more than one moron

[gosand]

I don't think you can single out one person, it seems as if there would be plenty of people to blame for not changing it.

Re:more than one moron

[drinkypoo]

I don't think you can single out one person, it seems as if there would be plenty of people to blame for not changing it.

And you can reasonably punish all of them.

Re:more than one moron

[OrangeTide]

Indeed, if it is a systematic problem then there is even more reason to take action to correct it.

Re:more than one moron

[angel'o'sphere]

Why does equipment even have a default user/password?
It simply should not function until you have changed/set it.

Re:more than one moron

[mschwanke97402]

Why does equipment even have a default user/password? It simply should not function until you have changed/set it.

That is actually true of a few modern devices. Unfortunately many of these device makers buy off-the-shelf firmware to plug in to their gadgets. Perhaps a regulation or two?

Re:more than one moron

[mcrbids]

Personally, I'm a fan of having a default password be something intrinsic and unique to that specific device, such as
a wifi router with the default password being both fairly strong and printed on the bottom.

Re:more than one moron

[angel'o'sphere]

Yes that makes sense.
Fixed enough wifis, where no one really knew why did not work and what the password is. Luckily they never changed the "build in" password, printed on the bottom.

wow..

[bravecanadian]

I mean we all know there is no such thing as 100% safe in information security but this is not even trying..

Second try

[canuck57]

Second try, I guess Admin/password didn't work.

mah brane hertz

[Mike+Van+Pelt]

oooooowwwww

Anyone want to place bets.....

[8127972]

...... On the original hack being caused by something as stupid as this?

Re:Anyone want to place bets.....

[Xyrus]

On the bright side Equifax's stock price is plummeting faster than a metric based Mars probe.

I hope they go bankrupt and every corporate board member spends the rest of their lives fighting identity theft. They deserve no less, since now I have to spend the rest of my fucking life fighting identity theft thanks to these assholes.

Re:Argentina you say?

[morethanapapercert]

We slashdotters like being in the know, so how about sharing the reference? We could all use a good giggle...

laughed out loud!

[Christinagirl1]

I just laughed out loud! Let me guess, all of their routers are admin G3t0ut.

Holy crap

[XSportSeeker]

Steve Gibson will have a field day with this one... I wonder how many more eggredious displays of a total lack of security practices it'll take to entirely close the thing down.

I want to work at Equifax!

[intnsred]

Really, I do want to work there!

I'll be a bloody genius there -- hell, even I know enough to change the login combo to "admin/equfax" -- and they'll pay me well for such brilliant security insights.

Oh, but wait.

Now that people -- and even chat-bots -- are suing them blind over this mindless security breach, I'm thinking that maybe there won't be a company left when they're through.

Re:I want to work at Equifax!

[sysrammer]

I see what you did there! You purposely misspelled "equifax" for the password. Brillant!

Re: I want to work at Equifax!

[nitehawk214]

If you can pretend to know what you are doing, you would make an excellent fall guy.

Ugly is skin deep...

[Sqreater]

...but stupid goes right to the bone.

Whiplash, from first to worst

[SuperKendall]

At first I thought, man that is TOO secure, keeping the admin password only in Argentina.

Then I understood what the headline was trying to say...

Memory aid

[trevc]

How else are they supposed to remember the password?

How is there no Hitler reaction video to all

[Kogun]

this dumbfuckery? Get on it people!

Re:How is there no Hitler reaction video to all

[Slayer]

The downfall meme is typically used for outrageous things. The whole Equifax story has gone down to such a level of ridiculousness, that it would rather call for the Risitas meme ...

Told you so...

[DarthVain]

*Ahem* I pretty much said as much previously. It's exciting to imagine a cabal of hackers doing things like this, however reality more often than not is just incompetence.

https://slashdot.org/comments....

You can't fix stupid

[mpercy]

Once again this proves that there is no technological solution to stupid human problems.

OTOH, a simple rule in the username/password database that prohibits admin/admin and other similar things like root/root could help. But then you'd just have people using their birthday or somesuch.

Don't cry for me, Argentina

[mpercy]

The truth is, I never left you
All through my wild days, my mad existence
I kept my promise
Don't keep your distance
And as for fortune, and as for fame
I never invited them in

Re:Do we know if they outsourced their IT

[guruevi]

Equifax Inc. has requested 96 H1B visa over the last 5 years all for $90k salary jobs (job market average there is ~$125k) for their Atlanta, GA offices.

In 2010 they outsourced their call centers overseas and 100 H1B's in the IT for a company of only 9500 employees means, yes, their entire IT department has been outsourced.