Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Had 'Admin' as Login and Password in Argentina (bbc.com)

Posted by msmash on from the security-woes dept.

Reader wired_parrot writes: The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations. The breach was revealed after security researchers discovered that an online employee tool used by Equifax Argentina was accessible using the "admin/admin" password combination.

14 of 123 comments (clear)

  1. MAGA by Anonymous Coward · · Score: 3, Funny

    Make Admin Great Again

    At this point, Equifux is circling the drain. Time for those insiders to cash out.

    1. Re:MAGA by Anonymous Coward · · Score: 5, Insightful

      Some of them conveniently sold their stock the day before the big announcement... but of course they had no idea about the breach.

  2. Negligence does not get more gross by gweihir · · Score: 3, Insightful

    This needs to be treated and punished the same as intent.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Negligence does not get more gross by DivineKnight · · Score: 4, Funny

      Kind of an Oprah moment: "You get a pink slip, and you get a pink slip, everybody gets a pink slip!"

  3. Re:Are you shitting me ? by DontBeAMoran · · Score: 4, Funny

    username: clown
    password: fired

    Added to my list of test logins/passwords.

    --
    #DeleteFacebook
  4. Re:Are you shitting me ? by wired_parrot · · Score: 5, Informative
    It gets worse. From the article:

    Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. (...) However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

    A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name

    But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.

  5. wow.. by bravecanadian · · Score: 3, Insightful

    I mean we all know there is no such thing as 100% safe in information security but this is not even trying..

  6. Re:Are you shitting me ? by Revek · · Score: 3, Interesting

    Shouldn't you be arrested for this level of breech. If you worked at a bank and it was robbed because the security guard always left a door unlocked that would be considered criminal.

  7. Re:Are you shitting me ? by DivineKnight · · Score: 3, Insightful

    Nonsense. We have the Cloud now, so it's totally cool to use default or easily guessable passwords.

  8. Re:Are you shitting me ? by Anonymous Coward · · Score: 5, Informative

    Argentinian here, I feel there's the need to clarify something: The DNI* thing is a red herring - in Argentina the number is like your name, using of using the DNI number as an enforced password is considered idiotic by normal people's standard

    * Documento Nacional de Identidad, literally "national identity document" - it's used to refer to the document itself (it used to be a small book like a passport, nowadays it's an ID card) and the unique numeric identifier associated with the person itself

  9. Re:Are you shitting me ? by Mr.+Shotgun · · Score: 3, Interesting

    I don't see how a "debug mode" or an accident can get passwords located in the code like that, no matter how horri-bad a dev is.

    Oh I can see it, some horri-bad dev write a "Select * from users" because that is the only SQL he knows and then finds a bunch of extra fields in his response. And rather than asking someone or googling about selecting fields he then marks all the rest of the fields as hidden. Out of site, out of mind. Only master haxxor ninjas know how to right click a page and select view source.

    --
    Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
  10. Re:more than one moron by angel'o'sphere · · Score: 5, Insightful

    Why does equipment even have a default user/password?
    It simply should not function until you have changed/set it.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  11. How is there no Hitler reaction video to all by Kogun · · Score: 3, Interesting

    this dumbfuckery? Get on it people!

  12. Re:Anyone want to place bets..... by Xyrus · · Score: 3, Interesting

    On the bright side Equifax's stock price is plummeting faster than a metric based Mars probe.

    I hope they go bankrupt and every corporate board member spends the rest of their lives fighting identity theft. They deserve no less, since now I have to spend the rest of my fucking life fighting identity theft thanks to these assholes.

    --
    ~X~