Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Businesses The Almighty Buck IT Technology

Equifax Had 'Admin' as Login and Password in Argentina (bbc.com) 123

Reader wired_parrot writes: The credit report provider Equifax has been accused of a fresh data security breach, this time affecting its Argentine operations. The breach was revealed after security researchers discovered that an online employee tool used by Equifax Argentina was accessible using the "admin/admin" password combination.

Equifax Had 'Admin' as Login and Password in Argentina

Comments Filter:
  • MAGA (Score:3, Funny)

    by Anonymous Coward on Wednesday September 13, 2017 @02:54PM (#55189989)

    Make Admin Great Again

    At this point, Equifux is circling the drain. Time for those insiders to cash out.

  • What kind of moron working at a credit reporting agency fails to change the DEFAULT login and password. ? I hope that clown got fired

    • by DontBeAMoran ( 4843879 ) on Wednesday September 13, 2017 @03:04PM (#55190097)

      username: clown
      password: fired

      Added to my list of test logins/passwords.

    • I don't think you can single out one person, it seems as if there would be plenty of people to blame for not changing it.

      • I don't think you can single out one person, it seems as if there would be plenty of people to blame for not changing it.

        And you can reasonably punish all of them.

    • by wired_parrot ( 768394 ) on Wednesday September 13, 2017 @03:04PM (#55190105)
      It gets worse. From the article:

      Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. (...) However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.

      A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name

      But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.

      • I refuse to believe in this timeline. This is a special abstract kind of hell. How much do you think the people that came up with this system were paid?

        • Re: (Score:3, Insightful)

          by burtosis ( 1124179 )

          I refuse to believe in this timeline. This is a special abstract kind of hell. How much do you think the people that came up with this system were paid?

          You are right to disbelieve. The world actually ended in 2012, just like the Mayan prophecy said. We have been living in a post apocalyptic nightmare inside the minds of the old ones ever since.

          • 2012 is close, but no.

            When email first hit small business,ca. 1995, I was working at a law firm.

            At a meeting, management directed me to stop all unsolicited emails from entering the building.

            I explained what spam was, and told them to sue for lack of productivity or something because, fuck it, they were a bunch of goddam lawyers .

            We revisited that shit for the next 20 years, off and on.

            --

            The "end" started when litigation never happened.

      • by Anonymous Coward on Wednesday September 13, 2017 @03:51PM (#55190575)

        Argentinian here, I feel there's the need to clarify something: The DNI* thing is a red herring - in Argentina the number is like your name, using of using the DNI number as an enforced password is considered idiotic by normal people's standard

        * Documento Nacional de Identidad, literally "national identity document" - it's used to refer to the document itself (it used to be a small book like a passport, nowadays it's an ID card) and the unique numeric identifier associated with the person itself

      • A friend of mine just brought up that we should just sell our own information now! LOL, we would be up $20 that way!
        • by Anonymous Coward

          A friend of mine just brought up that we should just sell our own information now! LOL, we would be up $20 that way!

          Its only valuable to the extent that it can be used to manipulate your life. Selling it yourself would make it worth far less than even $20.

    • What kind of moron working at a credit reporting agency fails to change the DEFAULT login and password. ? I hope that clown got fired

      You must not get out much. The answer is "all kinds."

      • by Revek ( 133289 ) on Wednesday September 13, 2017 @03:21PM (#55190313) Homepage

        Shouldn't you be arrested for this level of breech. If you worked at a bank and it was robbed because the security guard always left a door unlocked that would be considered criminal.

        • Shouldn't you be arrested for this level of breech. If you worked at a bank and it was robbed because the security guard always left a door unlocked that would be considered criminal.

          I'd at least cut their bonuses in half.

        • Physical security and electronic security are two different fronts. With physical security, if a security guard left a guard unlocked, there is physical evidence. With electronic security, all a company has to say is something along the lines of "hackers will win no matter what, so why bother?" and they will get off with, at best, a stern talking-to.

          The past shows this to be true. Ever see a large company actually suffer because of a security breach? Definitely not, especially after they do the PR gambi

          • Well in my country we have regulations governing the storage of sensitive data, even before you can start storing it the software has to be certified that it meets (or exceeds) the given criteria for the type of data you want to store. Banking details is right up there next to top level security as far as the regulations are concerned. Worked on sports betting software and was handed the compliance document and told to go through it and make the software compliant where ever it was missing stuffs. This w
            • My question is... are the regulations enforced? Sarbanes-Oxley comes to mind of regulations that sounded good, but the only time it really got enforced on a public basis, was when someone went over their catch limit fishing.

              I wouldn't mind seeing consistency with regs across nations, and some merging of standards (HIPAA, CJIS, FERPA, FISMA, FedRAMP, PCI-DSS 3.2.) Of course, some things can't overlap, but most of the stuff can. Have the certification be done by a fair third party, like a UL listing, but f

          • by Revek ( 133289 )

            Having a username and password of admin/admin is the equivalent of leaving the door unlocked. Its in TFA.

    • tyler durden might have been right.

    • They shouldn't just fire the admin, but the admin's boss for not having proper security audit procedures in place.

      If they actually had an auditor for that branch, maybe they should fire them as well for not doing a basic password audit on admin accounts.

    • by DivineKnight ( 3763507 ) on Wednesday September 13, 2017 @03:23PM (#55190327)

      Nonsense. We have the Cloud now, so it's totally cool to use default or easily guessable passwords.

    • Nope. It says in the contract with Tata India they can't fire. But hey, they saved money in the sound of mere thousands and helped raise the share price by outsourcing their IT

    • No.

      Fire the motherfucker who hired that bastard (or bitch, as may apply).

    • I hope that clown gets a reprimand and the C-level manager in charge of security gets fired. You need to kick out the big heads, not the grossly underpaid and grossly overworked peons in IT.
  • by gweihir ( 88907 ) on Wednesday September 13, 2017 @02:59PM (#55190037)

    This needs to be treated and punished the same as intent.

  • Yep, oops.
  • If this turns out to be true, everyone from the CTO to the entire board of directors needs to go prison for a very long time and their entire net worth distributed to the people affected by this. I'm not talking country club prison here either, I'm talking real prison where poor criminals go. And no class action where the lawyers get it all, but an outright equal distribution to everyone affected. Then the class action can come in and take the rest of the companies assets and pass out the $5 gift cards
    • But they won't. They'll get a $300 fine when adjusted to the average individual's income. Cost of doing business! Let's fuck over some more people!

    • Agreed! But sadly, this is a common theme. Just look at shodan. What a f*ing mess. The majority of companies don't care. They figure they can mitigate the risk. You know, if it costs 1mill to manage and they would only be sued for 100k if caught within a 1 year period ...it's acceptable. I think EVERY SINGLE American should freeze their credit and file a suit against them.
  • by computational super ( 740265 ) on Wednesday September 13, 2017 @03:03PM (#55190083)
    That's the same combination I have on my luggage!
  • by Anonymous Coward

    an online employee tool used by Equifax Argentina was accessible using the "admin/admin" password combination

    If this is the kind of internal stuff they have, they have no fucking business holding other people's data.

    This is about as incompetent as you can get. Like epic incompetence. You're fired kind of incompetence. You should never have another fucking job in the industry kind of incompetence.

    It will be hard to shield themselves from liability with that level of stupid.

  • wow.. (Score:4, Insightful)

    by bravecanadian ( 638315 ) on Wednesday September 13, 2017 @03:09PM (#55190169)

    I mean we all know there is no such thing as 100% safe in information security but this is not even trying..

  • by canuck57 ( 662392 ) on Wednesday September 13, 2017 @03:09PM (#55190173)

    Second try, I guess Admin/password didn't work.

  • oooooowwwww

  • by 8127972 ( 73495 ) on Wednesday September 13, 2017 @03:19PM (#55190295)

    ...... On the original hack being caused by something as stupid as this?

  • I just laughed out loud! Let me guess, all of their routers are admin G3t0ut.

  • Steve Gibson will have a field day with this one... I wonder how many more eggredious displays of a total lack of security practices it'll take to entirely close the thing down.

  • by intnsred ( 199771 ) on Wednesday September 13, 2017 @04:19PM (#55190759)

    Really, I do want to work there!

    I'll be a bloody genius there -- hell, even I know enough to change the login combo to "admin/equfax" -- and they'll pay me well for such brilliant security insights.

    Oh, but wait.

    Now that people -- and even chat-bots [theverge.com] -- are suing them blind over this mindless security breach, I'm thinking that maybe there won't be a company left when they're through.

  • ...but stupid goes right to the bone.
  • At first I thought, man that is TOO secure, keeping the admin password only in Argentina.

    Then I understood what the headline was trying to say...

  • How else are they supposed to remember the password?
  • by Kogun ( 170504 ) on Wednesday September 13, 2017 @07:11PM (#55191975)

    this dumbfuckery? Get on it people!

    • by Slayer ( 6656 )
      The downfall meme is typically used for outrageous things. The whole Equifax story has gone down to such a level of ridiculousness, that it would rather call for the Risitas meme ...
  • *Ahem* I pretty much said as much previously. It's exciting to imagine a cabal of hackers doing things like this, however reality more often than not is just incompetence.

    https://slashdot.org/comments.... [slashdot.org]

  • Once again this proves that there is no technological solution to stupid human problems.

    OTOH, a simple rule in the username/password database that prohibits admin/admin and other similar things like root/root could help. But then you'd just have people using their birthday or somesuch.

  • The truth is, I never left you
    All through my wild days, my mad existence
    I kept my promise
    Don't keep your distance
    And as for fortune, and as for fame
    I never invited them in

Money may buy friendship but money cannot buy love.

Working...