Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Had 'Admin' as Login and Password in Argentina (bbc.com)

Posted by msmash on from the security-woes dept.

Reader wired_parrot writes: The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations. The breach was revealed after security researchers discovered that an online employee tool used by Equifax Argentina was accessible using the "admin/admin" password combination.

25 of 123 comments (clear)

  1. MAGA by Anonymous Coward · · Score: 3, Funny

    Make Admin Great Again

    At this point, Equifux is circling the drain. Time for those insiders to cash out.

    1. Re:MAGA by Anonymous Coward · · Score: 5, Insightful

      Some of them conveniently sold their stock the day before the big announcement... but of course they had no idea about the breach.

  2. Negligence does not get more gross by gweihir · · Score: 3, Insightful

    This needs to be treated and punished the same as intent.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Negligence does not get more gross by DivineKnight · · Score: 4, Funny

      Kind of an Oprah moment: "You get a pink slip, and you get a pink slip, everybody gets a pink slip!"

  3. Amazing! by computational+super · · Score: 2

    That's the same combination I have on my luggage!

    --
    Proud neuron in the Slashdot hivemind since 2002.
  4. Re:Are you shitting me ? by DontBeAMoran · · Score: 4, Funny

    username: clown
    password: fired

    Added to my list of test logins/passwords.

    --
    #DeleteFacebook
  5. Re:Are you shitting me ? by wired_parrot · · Score: 5, Informative
    It gets worse. From the article:

    Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. (...) However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

    A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name

    But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.

  6. Re:Are you shitting me ? by chispito · · Score: 2

    What kind of moron working at a credit reporting agency fails to change the DEFAULT login and password. ? I hope that clown got fired

    You must not get out much. The answer is "all kinds."

    --
    The Daddy casts sleep on the Baby. The Baby resists!
  7. wow.. by bravecanadian · · Score: 3, Insightful

    I mean we all know there is no such thing as 100% safe in information security but this is not even trying..

  8. Second try by canuck57 · · Score: 2

    Second try, I guess Admin/password didn't work.

  9. Anyone want to place bets..... by 8127972 · · Score: 2

    ...... On the original hack being caused by something as stupid as this?

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
    1. Re:Anyone want to place bets..... by Xyrus · · Score: 3, Interesting

      On the bright side Equifax's stock price is plummeting faster than a metric based Mars probe.

      I hope they go bankrupt and every corporate board member spends the rest of their lives fighting identity theft. They deserve no less, since now I have to spend the rest of my fucking life fighting identity theft thanks to these assholes.

      --
      ~X~
  10. Re:Are you shitting me ? by rogoshen1 · · Score: 2

    tyler durden might have been right.

  11. Re:Are you shitting me ? by Revek · · Score: 3, Interesting

    Shouldn't you be arrested for this level of breech. If you worked at a bank and it was robbed because the security guard always left a door unlocked that would be considered criminal.

  12. Re:Are you shitting me ? by DivineKnight · · Score: 3, Insightful

    Nonsense. We have the Cloud now, so it's totally cool to use default or easily guessable passwords.

  13. Re:Are you shitting me ? by Mr+D+from+63 · · Score: 2

    Shouldn't you be arrested for this level of breech. If you worked at a bank and it was robbed because the security guard always left a door unlocked that would be considered criminal.

    I'd at least cut their bonuses in half.

  14. Re:Are you shitting me ? by Anonymous Coward · · Score: 5, Informative

    Argentinian here, I feel there's the need to clarify something: The DNI* thing is a red herring - in Argentina the number is like your name, using of using the DNI number as an enforced password is considered idiotic by normal people's standard

    * Documento Nacional de Identidad, literally "national identity document" - it's used to refer to the document itself (it used to be a small book like a passport, nowadays it's an ID card) and the unique numeric identifier associated with the person itself

  15. laughed out loud! by Christinagirl1 · · Score: 2

    I just laughed out loud! Let me guess, all of their routers are admin G3t0ut.

  16. Re:Are you shitting me ? by Christinagirl1 · · Score: 2

    A friend of mine just brought up that we should just sell our own information now! LOL, we would be up $20 that way!

  17. I want to work at Equifax! by intnsred · · Score: 2

    Really, I do want to work there!

    I'll be a bloody genius there -- hell, even I know enough to change the login combo to "admin/equfax" -- and they'll pay me well for such brilliant security insights.

    Oh, but wait.

    Now that people -- and even chat-bots -- are suing them blind over this mindless security breach, I'm thinking that maybe there won't be a company left when they're through.

  18. Re:Are you shitting me ? by burtosis · · Score: 2, Insightful

    I refuse to believe in this timeline. This is a special abstract kind of hell. How much do you think the people that came up with this system were paid?

    You are right to disbelieve. The world actually ended in 2012, just like the Mayan prophecy said. We have been living in a post apocalyptic nightmare inside the minds of the old ones ever since.

  19. Re:Are you shitting me ? by Mr.+Shotgun · · Score: 3, Interesting

    I don't see how a "debug mode" or an accident can get passwords located in the code like that, no matter how horri-bad a dev is.

    Oh I can see it, some horri-bad dev write a "Select * from users" because that is the only SQL he knows and then finds a bunch of extra fields in his response. And rather than asking someone or googling about selecting fields he then marks all the rest of the fields as hidden. Out of site, out of mind. Only master haxxor ninjas know how to right click a page and select view source.

    --
    Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
  20. Re:more than one moron by angel'o'sphere · · Score: 5, Insightful

    Why does equipment even have a default user/password?
    It simply should not function until you have changed/set it.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  21. How is there no Hitler reaction video to all by Kogun · · Score: 3, Interesting

    this dumbfuckery? Get on it people!

  22. Re:more than one moron by mcrbids · · Score: 2

    Personally, I'm a fan of having a default password be something intrinsic and unique to that specific device, such as
    a wifi router with the default password being both fairly strong and printed on the bottom.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.