Equifax used 'admin' as its login and password for its online employee portal in Argentina
'To me, this is just negligence,' Hold Security founder Alex Holden said.
A week after Equifax disclosed one of the largest data breaches in history, security researchers have found that the credit monitoring firm's employee web portal in Argentina was protected using "perhaps the most easy-to-guess password combination ever".
Researchers at Wisconsin-based Hold Security informed security expert Brian Krebs this week that an Equifax employee web portal apparently used the word "admin" as both the username and password.
The portal called Veraz was designed to let Equifax employees in Argentina manage credit report disputes in the country. Security researchers discovered that the insecure website potentially allowed anyone who guessed the right combination to get inside.
Once inside the portal, researchers discovered they could view the names of over 100 local Equifax employees along with their employee IDs and email addresses. Authenticated users would also be able to add, modify or delete existing user accounts on the system.
According to Krebs, a list of employee records included their company user name in plain text along with the corresponding passwords obfuscated with a series of dots. However, Krebs said it was not too difficult for someone to dig and find the employee's password buried in the HTML code.
"A review of those accounts shows all employee passwords were the same as each user's username," Krebs wrote. "Worse still, each employee's username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee's last name, you also could work out their password for this credit dispute portal quite easily."
The employee portal's main page also contained about 14,000 complaints and disputes by Argentinean consumers who contacted Equifax via phone, email or fax within the past decade. The website also contained each person's DNI – similar to a Social Security number in the US – in plain text.
"People there have put a lot of effort into getting a loan, and for them to have a situation like this would be a disaster," Jorge Speranza, manager of IT at Hold Security said. "In a country that has gone through so much — where there once was no credit, no mortgages or whatever — and now having the ability to get loans and lines of credit, this is potentially very damaging."
Equifax took down the website after it was notified of the issue by Krebs. The company said in a statement that the "potential vulnerability" in the internal portal was not connected to the massive US data breach disclosed last week.
"We immediately acted to remediate the situation, which affected a limited amount of public information strictly related to consumers who contacted our customer service center and the employees who managed those interactions," Equifax said. "We have no evidence at this time that any consumers, customers, or information in our commercial and credit databases were negatively affected, and we will continue to test and improve all security measures in the region."
The latest security gaffe comes after Equifax disclosed a historic data breach that saw the theft of valuable financial data of about 143 million people in the US, including their names, dates of birth, Social Security numbers, addresses and driver's license.
Equifax said on Wednesday that months-old web server vulnerability was to blame for the breach. The company has drawn fierce criticism and intense scrutiny following the disclosure and has been hit with at least 30 lawsuits from across the US. A number of US states along with Congress are also investigating the intrusion as well.
US lawmakers have also demanded that Equifax provide more details about the breach including the timeline, how long the company was aware of the incident and why it chose to delay disclosing it. They also have asked for information regarding three top executives who sold stock just days after the breach was discovered.
"To me, this is just negligence," Hold Security founder Alex Holden said. "In this case, their approach to security was just abysmal, and it's hard to believe the rest of their operations are much better."
© Copyright IBTimes 2024. All rights reserved.