The mind-boggling shitshow that is the Equifax hack continues as Brian Krebs reports the company’s Argentina operation left over 100 employee credentials and thousands of customer records – including their nation’s equivalent to Social Security ID numbers – open to compromise thanks to the world’s most easily-guessed username/password combo and the staggeringly idiotic decision to store user credentials and customer records in unencrypted plain text.
Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.
It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
Each employee record included a company username in plain text, and a corresponding password that was obfuscated by a series of dots.
However, all one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.
A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.
But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.
The portal was taken offline shortly after Krebs contacted Equifax to inform them of the vulnerability.
Meanwhile, the company has been frantically trying to put out the PR fire resulting from both the false positives and negatives that the company delivered in the aftermath of its announcement, by promising those who accept its free year of credit monitoring that they can still join one of the dozens of class-action suits pending against the company.
Meanwhile, customers are finding difficulty placing credit freezes on their records thanks to the glut of users attempting to use the services of all three credit agencies. In the interim, legal issues continue to mount, and the creator of DoNotPay – the chatbot service used to fight traffic tickets – have modified the app to help users draft their own small claims suits against the company.