KPN closes portal after finding most corporate customers use default password
Use of the default password, the same for many users, combined with an easily-guessed username, left corporate data at risk
IDG News Service - KPN closed a self-service portal for corporate ADSL customers on Tuesday after it discovered that 120,000 of its 180,000 business clients were still using default passwords, all variants of "welkom01," a company spokesman said Friday.
The security vulnerability could have given unauthorized persons easy access to the corporate accounts, for which the corresponding usernames could be easily derived from the businesses' street addresses.
KPN said it was unaware that the vast majority of its 180,000 ADSL business clients were still using a default password for the online Customer Self Care portal.
Dutch IT news site Webwereld alerted KPN on Tuesday after a tip from Robert Schagen of Robert 4U IT, who discovered the security leak.
By continuing to use default passwords such as "welkom01," "welkom1" or "welkom001", customers risked unauthorized persons gaining access to their accounts, KPN said.
Corporate clients were provided with a default password to gain access to the online self care portal as a standard practice, but KPN did not make it mandatory to change the password, and so a lot of their customers never did.
Businesses' user names consist of their zip code and street number, said KPN spokesman Steven Hufton. And a list of KPN's corporate customers could easily be obtained by querying the database of the regional Internet registry, RIPE NCC, Webwereld reported.
With access to an account on the portal, it is possible to change a customer's contact email address and connection speed and turn services on and off, Hufton said. Besides that, the portal also contains bank account numbers and it is possible to change the password, giving malicious persons the opportunity to take over the account, Webwereld wrote.
"This is unacceptable," said Eddy Willems, security evangelist at G Data. KPN should have made it mandatory for users to change the default password when the account was activated, he said, calling KPN's use of default passwords a "very big security risk."
Other big companies have had similar problems in the past, said Willems, although it's happening less often because companies are becoming more and more aware of the importance of security. KPN's problem was probably an historical one, he said, adding that at the time of the implementation probably nobody thought about the consequences. While this is an easy problem to solve, companies should think of good security before they implement a system, and not afterwards, Willems said.
There was no indication that any unauthorized person ever gained access to a corporate account, KPN said. The portal was taken offline immediately after the company was notified on Tuesday afternoon and KPN reset the password of 140,000 accounts. Besides the 120,000 customers that were using the default passwords KPN discovered that about 20,000 corporate accounts reused their login name as a password. Customers were alerted via an email that explained the situation and provided instructions for creating a new, safe password, KPN said. The portal was put back online around midday on Thursday, the company added.
Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to email@example.com
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- Pragmatic Endpoint Management: Empowering an SMB Workforce in the Age of Mobility Lacking the time for proper training and education, SMB administrators often resort to taking shortcuts to keep their environment running.This paper discusses the...
- Gartner Magic Quadrant for Application Security The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Desktop Apps White Papers | Webcasts