Oh, Equifax. Things just keep getting worse.
Equifax protected some accounts connected to an internal portal in Argentina with the password “admin,” in a move that was either incredibly amateur or hubristic (or both).
The screwup was discovered by Milwaukee-based cybersecurity firm Hold Security, which was able to gain access to a number of people’s personal data using, according to CNBC, “guesswork.”
This horrible password, which deserves a huge facepalm, played no part in the security breach that impacted 143 million Americans. Still, Hold Security was able to access the Argentinean equivalent of social security numbers for about 100 employees and consumer credit report disputes. Once the company portal was accessed, a user could fiddle with employee data, and even sneak around to steal employee’s usernames and passwords, according to security researcher and blogger Brian Krebs, who’s call to Equifax about the issue led to the portal being taken down. Hold Security reached out to Krebs following the discovery.
In a statement, an Equifax representative claimed that nobody’s private data was compromised due to the lame password. “We immediately acted to remediate the situation, which affected a limited amount of public information strictly related to consumers who contacted our customer service center and the employees who managed those interactions,” the spokesperson wrote. “What I can tell you is that we fixed the vulnerability immediately upon learning of it, and that this internet portal hasn’t been in use since 2013.”
Equifax is currently facing multiple investigations over this month’s massive security breach, including one from the Federal Trade Commission.
In an age when even the Weight Watchers website requires you to include a number in your password, a credit reporting agency containing private data should probably give that a thought.
Let’s hope no one at Equifax ever uses “password.”