KPN closes portal after finding most corporate customers use default password
Use of the default password, the same for many users, combined with an easily-guessed username, left corporate data at risk
IDG News Service - KPN closed a self-service portal for corporate ADSL customers on Tuesday after it discovered that 120,000 of its 180,000 business clients were still using default passwords, all variants of "welkom01," a company spokesman said Friday.
The security vulnerability could have given unauthorized persons easy access to the corporate accounts, for which the corresponding usernames could be easily derived from the businesses' street addresses.
KPN said it was unaware that the vast majority of its 180,000 ADSL business clients were still using a default password for the online Customer Self Care portal.
Dutch IT news site Webwereld alerted KPN on Tuesday after a tip from Robert Schagen of Robert 4U IT, who discovered the security leak.
By continuing to use default passwords such as "welkom01," "welkom1" or "welkom001", customers risked unauthorized persons gaining access to their accounts, KPN said.
Corporate clients were provided with a default password to gain access to the online self care portal as a standard practice, but KPN did not make it mandatory to change the password, and so a lot of their customers never did.
Businesses' user names consist of their zip code and street number, said KPN spokesman Steven Hufton. And a list of KPN's corporate customers could easily be obtained by querying the database of the regional Internet registry, RIPE NCC, Webwereld reported.
With access to an account on the portal, it is possible to change a customer's contact email address and connection speed and turn services on and off, Hufton said. Besides that, the portal also contains bank account numbers and it is possible to change the password, giving malicious persons the opportunity to take over the account, Webwereld wrote.
"This is unacceptable," said Eddy Willems, security evangelist at G Data. KPN should have made it mandatory for users to change the default password when the account was activated, he said, calling KPN's use of default passwords a "very big security risk."
Other big companies have had similar problems in the past, said Willems, although it's happening less often because companies are becoming more and more aware of the importance of security. KPN's problem was probably an historical one, he said, adding that at the time of the implementation probably nobody thought about the consequences. While this is an easy problem to solve, companies should think of good security before they implement a system, and not afterwards, Willems said.
There was no indication that any unauthorized person ever gained access to a corporate account, KPN said. The portal was taken offline immediately after the company was notified on Tuesday afternoon and KPN reset the password of 140,000 accounts. Besides the 120,000 customers that were using the default passwords KPN discovered that about 20,000 corporate accounts reused their login name as a password. Customers were alerted via an email that explained the situation and provided instructions for creating a new, safe password, KPN said. The portal was put back online around midday on Thursday, the company added.
Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to email@example.com
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- Architects lead the next generation of data-driven applications Read this whitepaper to find out how application architects can quickly and confidently deliver long-lasting applications that minimize cost, complexity, and risk while...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Desktop Apps White Papers | Webcasts