Dutch ISP Discovers 140,000 Customers With Default Password 99
bs0d3 writes "In Holland, a major ISP (KPN) has found a major security flaw for their customers. It seems that all customers have had the same default password of 'welkom01'. Up to 140,000 customers had retained their default passwords. Once inside attackers could have found bank account and credit card numbers. KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security."
It's the ISP's fault (Score:5, Informative)
It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.
ISP didn't discover it. (Score:5, Informative)
KPN didn't discover it themselves. An ICT company did (accidentally even), and reported the flaw to an IT site (webwereld.nl) instead of contacting KPN directly.
Dutch link: http://tweakers.net/nieuws/82955/kpn-maakt-blunder-met-standaardwachtwoord-z-adsl-accounts.html [tweakers.net] and http://webwereld.nl/nieuws/111057/140-000-kpn-adsl-accounts-lek-door-welkom01-fail.html [webwereld.nl]