Equifax: researchers find leaky customer help portal in Argentina

As Equifax deals with the fallout of its data breach earlier this month, it’s also receiving a lot more scrutiny from security researchers than it might be used to – and according to security reporter Brian Krebs, there are other parts of Equifax’s security that are wanting.

Unfortunately, according Krebs, it looks like there was a web portal used by Equifax employees in Argentina to manage customer complaints that had all-too-simple login credentials — admin as a username, admin as a password.

If that were not bad enough, the portal also made no real effort to secure employee contact information or credentials, as employee passwords were not only stored in plaintext, but generally, they were simply the employee’s first initial and full last name, or some combination thereof. Not terribly hard to guess.

And if that were not bad enough, the portal also stored customer data, including customer DNI numbers, in plaintext. The DNI, the national identification number for Argentina, is assigned at birth and unchangeable, and not something that you want to land in the wrong hands.

Hold Security, the company that made this discovery, worked with Krebs on this disclosure, and Krebs notified Equifax of this issue on 12 September.

Krebs reports that Equifax pulled the entire portal the same day as it investigates the scope of the issue. It’s not known if any of the customer data was breached before this discovery, or if Hold Security figured out this issue before a criminal did, but the researchers were able to pull up 14,000 customer records.

Attackers know that their methods often don’t have to be sophisticated to be effective, as many organizations still don’t have a lock on the basics.

Default passwords are a boon to attackers, as many people don’t know or don’t remember to change them — from consumers using web-enabled devices at home to system administrators of massive industrial applications. And storing passwords in plain text is inexcusable (for the right way look at Paul Ducklin’s guide to storing passwords safely).

Again, it’s not known if any customer data was breached, though certainly it was put at risk.

This portal in Argentina didn’t look like it had received any kind of attention or basic security hygiene check, as many of the issues reported by Hold and Krebs are alarmingly simple. Even a system with “just” 14,000 customer records deserves proper care and attention to key security practices.