Equifax Used 'admin' as Username and Password for Sensitive Data: Lawsuit (yahoo.com) 59
A user writes: When it comes to using strong username and passwords for administrative purposes let alone customer facing portals, Equifax appears to have dropped the ball. Equifax used the word "admin" as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia. The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail. "Equifax employed the username 'admin' and the password 'admin' to protect a portal used to manage credit disputes, a password that 'is a surefire way to get hacked,'" the lawsuit reads. The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website. When Equifax, one of the three largest consumer credit reporting agencies, did encrypt data, the lawsuit alleges, "it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data." The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don't come from wronged consumers, but rather shareholders that allege the company didn't adequately disclose risks or its security practices.
Admin as password (Score:5, Funny)
You mean I shouldn't use Admin for all my passwords?
dayamn, that's so 3rd grade (Score:3)
and you get, not just an F, but a Z^21
Re:Admin as password (Score:5, Funny)
Re: (Score:3)
However, most of these hacks, come from automated scripts, meant to target a home's wi-fi, network printer, or some odd piece of IoT device that came on the network bypassing IT. Thinking this plan is so stupid it is genius, doesn't comprehend how stupid most hacks are.
Re:Admin as password (Score:4, Interesting)
This. I wouldn't say most hacks are stupid, though. Most hacks look for low hanging fruit, common misconfigurations and defaults, etc. Admin as a password is incredibly stupid, especially for a public-facing site. I'd expect such a site to be compromised in less than a day.
Re:Admin as password (Score:4, Funny)
I always use "12345" as a password.
It's the same as the combination on my luggage, so that makes it is easy for me to remember.
Re:Admin as password (Score:4, Funny)
I always use "12345" as a password.
It's the same as the combination on my luggage, so that makes it is easy for me to remember.
I just put my stuff in cayenne8's luggage when he's not looking and let him carry my stuff for me.
Re: (Score:3)
I always use "12345" as a password.
It's the same as the combination on my luggage, so that makes it is easy for me to remember.
I just put my stuff in cayenne8's luggage when he's not looking and let him carry my stuff for me.
I hope he never opens his luggage and thinks "oh good, look at all this powdered sugar, my wife must have given me some as a treat"
Re: (Score:2)
I just put my stuff in cayenne8's luggage when he's not looking and let him carry my stuff for me.
That is the best way to maintain absolute security.
Equifax should have done something similar and stored their data on their competitor's server when they weren't looking.
Then nobody could ever steal Equifax's data.
Re: (Score:3)
You mean I shouldn't use Admin for all my passwords?
Set it to "nimdA" instead. Just as easy to remember but also more secure.
L33t haxors protect themselves (do this everyday) (Score:3)
'swordfish' is clearly more secure than 'admin'.
Re: L33t haxors protect themselves (do this everyd (Score:1)
Re:Admin as password (Score:4, Interesting)
Depends on what the two-factor authentication method was.
I mean; they did use 2FA, right?
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Mixed case and numbers? That's going to be tough to remember.
Re: (Score:2)
It's actually fine up until you posted it, because you were using an uppercase 'A', but now you should change it.
Re: (Score:2)
Re: (Score:2)
Re: Admin as password (Score:1)
Re: (Score:2)
You were supposed to use 'password' as the password.
I'll take Firewall for the block... (Score:2)
Leaving the default password on is stupid, but it's also stupid to not have a firewall on the way for sensitive systems.
Seems like the credit reporting sites have too much valuable information, and only respond to laws when being called stupid. Congress, please require some basic IT standards on them.
Re: (Score:2)
"Leaving the default password on is stupid, but it's also stupid to not have a firewall on the way for sensitive systems."
Did they not? A lot of places have unpatched systems, default credentials, self-signed or expired certs, etc somewhere but generally it is internal stuff that is buried deep under many layers of security and usually off on some management vlan somewhere at least.
Re: (Score:3)
Consider before calling someone stupid.
Big companies like Equifax have thousands of employees and thousands of "secrets" (pieces of information that must be held confidential e.g. passwords, private keys, etc.). The good guys have to be right every time and the bad guys only have to win once. This isn't so much a "stupid move" as a failure of process. In order to make sure all devices are secured properly, you need to be consistent and thorough, not brilliant. There's always a weird case where some device i
Oblig. Spaceballs quote (Score:2)
"And somebody change the combination of my suitcase!"
-- Lord Helmet
Not quoting anything if you get it wrong (Score:2)
And it was "luggage" not "suitcase". And his name was "Dark Helmet".
Dark Helmet: So the combination is 1-2-3-4-5? That's the stupidest combination I've ever heard in my life! That's the kinda thing an idiot would have on his luggage!
[Cut to President Skroob walking in]
Skroob: What's the combination?
Colonel Sandurz: 1-2-3-4-5.
Skroob: 1-2-3-4-5? That's amazing! I've got the same combination on my luggage! [Colonel Sandurz and Dark Helmet give each other a look] Prepare Spaceball I for immediate departure!
C
Is there some progression for gross negigence? (Score:2)
Maybe gross stupidity?
I'm a firm believer in "don't attribute to malice which can be sufficiently explained with stupidity", but at this level, that can't even be stupidity anymore. The average 3 year old knows better than to do that. You could literally run this company better by putting a bunch of hobos at the helm.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's stupidity. Public-facing, admin:admin, didn't bother encrypting in transit. Reckless and negligent.
I protest the "unencrypted servers" horse shit, however. The data at rest, if encrypted, would be accessible by all these tools. Authentication would allow you to read it, and a lack of authentication would prevent you from doing so. Encryption doesn't help here; you encrypt data on mobile devices (laptops, phones, etc.) because they're actually likely to be stolen.
Yes, I know, you can theoretica
Re: (Score:2)
"I thought we were past holding up encryption as magic sauce."
Unless you are Google we have.
Re: (Score:2)
There was a time not so long ago when a surgeon would scrub, stroll into the operating room and start cutting way. As a result doctors, every one of whom was smart enough to make it through medical school and surgical residency, would occasionally amputate the wrong limb or perform a procedure on the wrong patient.
These days surgical teams are supposed to go through a standard protocol, verifying they've got the right patient and are doing the right procedure. There was resistance to this originally becau
Re: (Score:2)
No self-respecting hobo would ever accept work of that kind.
Re: (Score:2)
On executive level, hiring somebody that is grossly incompetent, is intent. Or at least it should count as it.
We don't understand security... (Score:3)
But, for a few bucks to our coffers, we'll boost your credit rating.
WTF is up with that? You can PAY to have your credit rating raised? How does that ACTUALLY improve your credit worthiness?
Re: (Score:2)
Seems reasonable. It's a revenue stream. The key is to balance your customers: the people who pay you for accurate credit reporting, and the ones who pay you for inaccurate credit reporting.
Re: (Score:1)
Does it? The customers of CRAs are financial organisations, not people. Those financial organisations depend on the accuracy of credit reports to be able to determine whether it's safe to lend or not. If a CRA will fudge a credit report to allow better scores then it's entire existence is pointless.
That said, whilst I'm willing to be proven wrong, I don't think such a service exists. There are services that tell you how you can improve your score, but I don't think there are any that actually improve your s
"reporter" (Score:1)
Buzzfeed reporter
lol
Re: (Score:2)
Hmmm... (Score:2)
Not only that (Score:2)
Their web site interface for freezing/unfreezing credit has been broken for more than a year as well.
Whenever I try to freeze my credit, the operation results in a server-side error.
Transunion and Experian have never been a problem for me.
passwords (Score:2)
********** see!
Re: (Score:2)
Everybody knows that security settings in modern browsers automatically mask your actual password in textarea posts. If you type in your password, it will show as stars ********** see!
My passwords are all actually "**********". Everyone who sees them thinks that they have been blanked out!
sound like some default password! (Score:2)
sound like some default password!
What market? (Score:2)
Re: (Score:1)
Security is an expense (Score:2)
Just This Once (Score:2)
Re: (Score:2)
At what point is it Conspiracy, not Cockup? (Score:2)
I was taught Cockup before Conspiracy.
With all these "breaches" and "misconfigurations" I do actively wonder - have we crossed over from Cockups to Conspiracy?
A convenient way to release a trove of info would be to intentionally offer it the most trivial of security. Makes you wonder about all those databases found in unsecured AWS buckets.
And justice for all? (Score:2)
So, who is taking bets that the shareholders give a bigger judgment than the actual victims whose personal information was disclosed?
I mean... if it takes a one-two combo to punish the company properly---a public class action suit for the victims and a shareholder suit for the irresponsibility---I'm all for watching the courtroom drama with a bowl of popcorn.
Although, I'll have that "sadder but wiser" feeling at the end if the shareholders get a bigger payout than the public.
Time to ...... (Score:2)
......cue facepalm.... https://www.youtube.com/watch?... [youtube.com]
Results of a diversity hire (Score:1)
Degree in Music but has a vagina. Check.
Need to be held to higher standards (Score:1)
Not a problem (Score:2)
Everything important is secured under the BOFH user id.
A lot of the mainframes we used to use... (Score:2)
...had the username SYSTEM and the password was ADMIN.
That was apparently the defaul, because we used it everywhere.
You were expected to login, make a user account, and log out of the admin account and into your newly created one.
This was in the 70's. :)