In the wake of a massive data breach that may affect millions of Americans, a security researcher discovered an employee tool used by employees of credit reporting firm Equifax in Argentina used default login credentials.
Cybersecurity blogger Brian Krebs reported an online employee tool used by the firm’s employees could be accessed by entering “admin” as both the username and password—a common combination for default login credentials that are intended to be changed.
After entering the credentials into the login prompt, Krebs—and anyone who may have discovered this lax protection prior to him—was able to gain access to records held by the firm, including thousands of national identity numbers.
After being contacted about the unsecure login combination, Equifax temporarily shut down the portal, presumably to update the username and password requirements to prevent unauthorized access to the employee tool.
"We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cyber-security event that occurred in the United States last week," an Equifax spokeswoman told the BBC.
"We immediately acted to remediate the situation, which affected a limited amount of information strictly related to Equifax employees. We have no evidence at this time that any consumers or customers have been negatively affected, and we will continue to test and improve all security measures in the region."
Krebs reported once a person access the portal, a person could view the names, employee identification number, and email address of more than 100 Equifax employees working in Argentina. Anyone who logged into the tool could also add, modify, or delete the user accounts within the system.
The employee records were stored in plain text, with password associated with the accounts obscured by dots—though the passwords could be revealed in plain text as well by accessing the HTML code of the site by simply clicking the “view source” function in a user’s browser.
Much like the “admin” username and password combination used to access the employee tool, each employee account password was identical to the employee’s username—and the usernames were simply the employee’s last name or a first initial and full last name, meaning anyone could look up employees who work at Equifax Argentina and use their name to login to their account.
For anyone who went through this process by logging into the employee portal using one of the easily hijacked employee accounts, they would find about 715 pages worth of complaints and disputes filed by Argentinian citizens—about 14,000 complaints in total.
The disputes date back a decade and include complaints filed via fax, phone and email. The documents list the DNI—essentially the Social Security number equivalent for Argentinians—of each person who filed a dispute.
While the unsecure login issue may have been resolved in response to the report, the fact remains the information was accessible for an unknown period of time and may have been accessed by any number of malicious actors.
The discovery of the security lapse comes less than a week after Equifax disclosed to the public it experienced a massive breach that may have resulted in personal records of more than 143 million consumers in the United States being exposed.