Skip to main content

Slashdot: SolarWinds' Former CEO Blames Intern for 'solarwinds123' Password Leak

SolarWinds' Former CEO Blames Intern for 'solarwinds123' Password Leak
Published on February 28, 2021 at 03:04AM
"Current and former top executives at SolarWinds are blaming a company intern for a critical lapse in password security that apparently went undiagnosed for years," reports CNN. The password in question, "solarwinds123," was discovered in 2019 on the public internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server... It is still unclear what role, if any, the leaked password may have played in enabling suspected Russian hackers to spy on multiple federal agencies and businesses in one of the most serious security breaches in U.S. history. Stolen credentials are one of three possible avenues of attack SolarWinds is investigating as it tries to uncover how it was first compromised by the hackers, who went on to hide malicious code in software updates that SolarWinds then pushed to some 18,000 customers, including numerous federal agencies. Other theories SolarWinds is exploring, said SolarWinds CEO Sudhakar Ramakrishna, include the brute-force guessing of company passwords, as well as the possibility the hackers could have entered via compromised third-party software. Confronted by Rep. Rashida Tlaib, former SolarWinds CEO Kevin Thompson said the password issue was "a mistake that an intern made... They violated our password policies and they posted that password on an internal, on their own private Github account," Thompson said. "As soon as it was identified and brought to the attention of my security team, they took that down...." Ramakrishna later testified that the password had been in use as early as 2017... That timeframe is considerably longer than what had been reported. The remarks were made at a hearing of a House security committee, where Representative Katie Porter also strongly criticized the company. "I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad! You and your company were supposed to be preventing the Russians from reading Defense Department emails!" CNN also reports that Microsoft (which is leading the forensic investigation into the breach) "later said there is no evidence that the Pentagon was actually affected by the Russian spying campaign."

Read more of this story at Slashdot.

Comments

Popular posts from this blog

Slashdot: AT&T Says Leaked Data of 70 Million People Is Not From Its Systems

AT&T Says Leaked Data of 70 Million People Is Not From Its Systems Published on March 20, 2024 at 02:15AM An anonymous reader quotes a report from BleepingComputer: AT&T says a massive trove of data impacting 71 million people did not originate from its systems after a hacker leaked it on a cybercrime forum and claimed it was stolen in a 2021 breach of the company. While BleepingComputer has not been able to confirm the legitimacy of all the data in the database, we have confirmed some of the entries are accurate, including those whose data is not publicly accessible for scraping. The data is from an alleged 2021 AT&T data breach that a threat actor known as ShinyHunters attempted to sell on the RaidForums data theft forum for a starting price of $200,000 and incremental offers of $30,000. The hacker stated they would sell it immediately for $1 million. AT&T told BleepingComputer then that the data did not originate from them and that its systems were not breached. &q

Slashdot: AT&T, T-Mobile Prep First RedCap 5G IoT Devices

AT&T, T-Mobile Prep First RedCap 5G IoT Devices Published on October 15, 2024 at 03:20AM The first 5G Internet of Things (IoT) devices are launching soon. According to Fierce Wireless, T-Mobile plans to launch its first RedCap devices by the end of the year, while AT&T's devices are expected sometime in 2025. From the report: All of this should pave the way for higher performance 5G gadgets to make an impact in the world of IoT. RedCap, which stands for reduced capabilities, was introduced as part of the 3GPP's Release 17 5G standard, which was completed -- or frozen in 3GPP terms -- in mid-2022. The specification, which is also called NR-Light, is the first 5G-specific spec for IoT. RedCap promises to offer data transfer speeds of between 30 Mbps to 80 Mbps. The RedCap spec greatly reduces the bandwidth needed for 5G, allowing the signal to run in a 20 MHz channel rather than the 100 MHz channel required for full scale 5G communications. Read more of this story at

Slashdot: AT&T Can't Hang Up On Landline Phone Customers, California Agency Rules

AT&T Can't Hang Up On Landline Phone Customers, California Agency Rules Published on June 22, 2024 at 01:50AM An anonymous reader quotes a report from Ars Technica: The California Public Utilities Commission (CPUC) yesterday rejected AT&T's request to end its landline phone obligations. The state agency also urged AT&T to upgrade copper facilities to fiber instead of trying to shut down the outdated portions of its network. AT&T asked the state to eliminate its Carrier of Last Resort (COLR) obligation, which requires it to provide landline telephone service to any potential customer in its service territory. A CPUC administrative law judge recommended rejection of the application last month, and the commission voted to dismiss AT&T's application with prejudice on Thursday. "Our vote to dismiss AT&T's application made clear that we will protect customer access to basic telephone service... Our rules were designed to provide that assurance,