Equifax used 'admin' as username and password for sensitive data: lawsuit

[Flying Sausages]

https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html

Quote

Equifax (EFX) used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia.

The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail.

“Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.

The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.

When Equifax, one of the three largest consumer credit reporting agencies, did encrypt data, the lawsuit alleges, “it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.”

The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don’t come from wronged consumers, but rather shareholders that allege the company didn’t adequately disclose risks or its security practices.

You think company storing your data in a plain text with no encryption is bad for security practice? Well, using "admin" for username and password login is also another bad security practice too. No surprise that even big company like Equifax is using "admin" for username for username and password login information. How can you be this bad just to protect consumer information? Data breach from software exploit or vulnerability or zero day is another story, but data breach from using "admin" as login information is just way too stupid that you can prevent it in less than 10 minutes just to change the username and password.

[TempestCatto]

That's like having one of those fake rocks to hide a house key in, but instead of blending it in with your front garden, you just leave it under the door mat.

[Bacon soup]

note to self: change password

[Vishera]

That's what happens when you cut costs on security

and hire cheap A$$ staff that don't care about their job due to the low salary they get.

 

 

[williamcll]

Years of studying computers and you use the most basic password? Omega brain.

[Arika]

Equifucks

[Master Disaster]

Theres so many problems with this its honestly beyond a joke.

 

Who keeps a private database on a public facing webserver anyway? Why wasn't the subdomain locked? What moron chose admin for a username and password?

 

Fairly obviously whoever set this up for them had no fucking clue. I'm hardly an expert on webservers but even I know about .htaccess. It's really not difficult to hide a subdomain from the public internet and make it local only.

 

Mind you, they probably would have used admin for the username and password in the .htaccess file anyway.

[yian88]

10 hours ago, Vishera said:

That's what happens when you cut costs on security

and hire cheap A$$ staff that don't care about their job due to the low salary they get.

 

 

But then you demand cheap products so what goes around comes around. 

[TechyBen]

11 hours ago, TempestCatto said:

That's like having one of those fake rocks to hide a house key in, but instead of blending it in with your front garden, you just leave it under the door mat.

More like you leave it in a giant plastic key, with the words "if you forget, key in here" on the doorstep.

[LAwLz]

using admin/admin as your login credentials is not necessairly bad. The bad part is when you have it on a public facing server.

[rcmaehl]

Why am I not surprised...

 

[HarryNyquist]

20 minutes ago, rcmaehl said:

Why am I not surprised...

This is exactly why the tech industry (SPECIFCIALLY security) is in such a sorry state right now. This shit is everywhere and it's all going to hit the fan at some point.

[Kenji the Uke]

THIS IS WHY IM TRYING TO GET INTO IT!! So I can do better than that!! The industry needs THE BEST

[The_Prycer]

Good Gods, I should be making a killing as a security consultant if this is the kind of nonsense that these companies are engaging in.

[rcmaehl]

20 minutes ago, The_Prycer said:

Good Gods, I should be making a killing as a security consultant if this is the kind of nonsense that these companies are engaging in.

You have NO idea.

 

There's at least a dozen places I refuse to shop due to lack of security. The number of stores that put POS systems on the same VLAN as other devices, or even don't use VLANs at all, is too damn high.

[Vishera]

1 hour ago, rcmaehl said:

Why am I not surprised...

 

That's not the problem,

The problem is that she did nothing to prevent this,if she did anything at all,

She is probably talking on the phone all day with friends while in the office eating donuts.

[Sousuke]

Doesn't every decent IT system have minimum password requirements???

 

Equifax is simply a joke after this, how on earth can anyone trust them with any data going further when they can not even meet the standards for every single online account I hold for internal accounts. 

[Euchre]

4 hours ago, LAwLz said:

using admin/admin as your login credentials is not necessairly bad. The bad part is when you have it on a public facing server.

Yes, it is bad - because it is the default. They didn't exactly explain the whole nature of the setup, but this sounds like the default configuration of a lot of NAT devices, from home routers up to enterprise web servers. Chances are, the login was default, and the remote administration option was on by default, and left on. It takes literally seconds to change that configuration so you have a non-default password and remote administration is turned off. People commonly fail to do this on their home routers, but for an enterprise to do it is pathetic.

[paddy-stone]

You could hire high school students to do a better job than that security wise.

[Wooley]

3 hours ago, Kenji the Uke said:

THIS IS WHY IM TRYING TO GET INTO IT!! So I can do better than that!! The industry needs THE BEST

Same here. This is absolutely pathetic.

[Leviathan-]

4 hours ago, Euchre said:

Yes, it is bad - because it is the default. They didn't exactly explain the whole nature of the setup, but this sounds like the default configuration of a lot of NAT devices, from home routers up to enterprise web servers. Chances are, the login was default, and the remote administration option was on by default, and left on. It takes literally seconds to change that configuration so you have a non-default password and remote administration is turned off. People commonly fail to do this on their home routers, but for an enterprise to do it is pathetic.

Agreed.

 

8 hours ago, LAwLz said:

using admin/admin as your login credentials is not necessairly bad. The bad part is when you have it on a public facing server.

Is it okay to setup AD Servers with the admin/admin login combo because it's internal?

[LAwLz]

4 hours ago, Euchre said:

Yes, it is bad - because it is the default. They didn't exactly explain the whole nature of the setup, but this sounds like the default configuration of a lot of NAT devices, from home routers up to enterprise web servers. Chances are, the login was default, and the remote administration option was on by default, and left on. It takes literally seconds to change that configuration so you have a non-default password and remote administration is turned off. People commonly fail to do this on their home routers, but for an enterprise to do it is pathetic.

It might not be that bad, depending on what other security measurements you have in place.

 

 

7 minutes ago, Leviathan- said:

Is it okay to setup AD Servers with the admin/admin login combo because it's internal?

Preferably not, but depending on what other security measurements are in place it might not be THAT bad.

On an AD server it's definitely not recommended, insider threats are a thing, but "the login was admin/admin" is not automatically the greatest sin ever. If you have proper security in place, then there are already several things which need to be compromised before you even get to the login page.

For example it's recommended to use a jump server to access administrative things. If I sit at my computer at work, I can't reach our networking equipment. In order to do that, I need to VPN into a specific network, and then I need to login to a jump server, and then I can login to our networking gear. So I have 3 things I need username and password for in order to access something. It wouldn't be a catastrophe if the last one was admin/admin.

If you ask me, the biggest problem with using admin/admin in a setup like at my work isn't that some unauthorized person can guess the password, it's that you can't do proper accounting if everyone uses the same login.

 

 

And let's be clear, I am not saying it's a good idea to use admin/admin. What I am saying is that it's not automatically as massive of a fuckup as you might think, assuming other things are in place.

Enterprise networks are generally not configured like a home network where everyone can reach everything. They are (or should be) more locked down and secure than that.

[Euchre]

10 minutes ago, Leviathan- said:

Is it okay to setup AD Servers with the admin/admin login combo because it's internal?

Sure! Also, you should see about an IT job with Target!

 

(For those that don't know, in 2013 Target suffered a major data breach because a 3rd party login allowed access to the ENTIRE internal network, including that for the POS [Point Of Sale] systems, including the card readers that the hackers were able to exploit to capture 41-70 million debit and credit cards. Everyone from the Pepsi vendor to the CEO had the same level of network access.)

[Leviathan-]

1 hour ago, LAwLz said:

It might not be that bad, depending on what other security measurements you have in place.

 

 

Preferably not, but depending on what other security measurements are in place it might not be THAT bad.

On an AD server it's definitely not recommended, insider threats are a thing, but "the login was admin/admin" is not automatically the greatest sin ever. If you have proper security in place, then there are already several things which need to be compromised before you even get to the login page.

For example it's recommended to use a jump server to access administrative things. If I sit at my computer at work, I can't reach our networking equipment. In order to do that, I need to VPN into a specific network, and then I need to login to a jump server, and then I can login to our networking gear. So I have 3 things I need username and password for in order to access something. It wouldn't be a catastrophe if the last one was admin/admin.

If you ask me, the biggest problem with using admin/admin in a setup like at my work isn't that some unauthorized person can guess the password, it's that you can't do proper accounting if everyone uses the same login.

 

 

And let's be clear, I am not saying it's a good idea to use admin/admin. What I am saying is that it's not automatically as massive of a fuckup as you might think, assuming other things are in place.

Enterprise networks are generally not configured like a home network where everyone can reach everything. They are (or should be) more locked down and secure than that.

Now that is how you should of followed up with your original comment . Sounds like you guys are following a good standard. 

 

1 hour ago, Euchre said:

Sure! Also, you should see about an IT job with Target!

 

(For those that don't know, in 2013 Target suffered a major data breach because a 3rd party login allowed access to the ENTIRE internal network, including that for the POS [Point Of Sale] systems, including the card readers that the hackers were able to exploit to capture 41-70 million debit and credit cards. Everyone from the Pepsi vendor to the CEO had the same level of network access.)

If I recall correctly, without googling, it was a hvac contractors account that was left active with no expiration date they used to achieve all of this. Can I use you as a recommendation for my job with Target?

[Euchre]

1 hour ago, Leviathan- said:

If I recall correctly, without googling, it was a hvac contractors account that was left active with no expiration date they used to achieve all of this. Can I use you as a recommendation for my job with Target?

It was a contractor, but from what I can see the contractor was still working with them (this is common in retail - they don't service their own HVAC normally), and that contractor's systems were compromised via a malicious link in an email. The contractor stored the credentials on their systems in plain text apparently, although the vector would've been an easy one to get via word of mouth from any 3rd party contractor or vendor. So, an unhappy former vendor rep could've given credentials out just as easily, or been social engineered into giving them out. Any credential would do. If Target's systems had been configured properly, such 3rd parties would not have been able to compromise the POS systems, at least without another flaw like a zero day or other unaddressed exploit to allow elevation of privileges.

 

And no, you couldn't use me for a recommendation, for several reasons, none so glamorous as having been involved with that hack, though.