Slashdot Mirror

← Back to Stories (view on slashdot.org)

Equifax Had 'Admin' as Login and Password in Argentina (bbc.com)

Posted by msmash on from the security-woes dept.

Reader wired_parrot writes: The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations. The breach was revealed after security researchers discovered that an online employee tool used by Equifax Argentina was accessible using the "admin/admin" password combination.

4 of 123 comments (clear)

  1. Re:Are you shitting me ? by wired_parrot · · Score: 5, Informative
    It gets worse. From the article:

    Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. (...) However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

    A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name

    But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.

  2. Re:MAGA by Anonymous Coward · · Score: 5, Insightful

    Some of them conveniently sold their stock the day before the big announcement... but of course they had no idea about the breach.

  3. Re:Are you shitting me ? by Anonymous Coward · · Score: 5, Informative

    Argentinian here, I feel there's the need to clarify something: The DNI* thing is a red herring - in Argentina the number is like your name, using of using the DNI number as an enforced password is considered idiotic by normal people's standard

    * Documento Nacional de Identidad, literally "national identity document" - it's used to refer to the document itself (it used to be a small book like a passport, nowadays it's an ID card) and the unique numeric identifier associated with the person itself

  4. Re:more than one moron by angel'o'sphere · · Score: 5, Insightful

    Why does equipment even have a default user/password?
    It simply should not function until you have changed/set it.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.