Forgot your password?
typodupeerror
Privacy Security IT

Dutch ISP Discovers 140,000 Customers With Default Password 99

Posted by timothy
from the remove-fingers-from-dike-and-type-new-one dept.
bs0d3 writes "In Holland, a major ISP (KPN) has found a major security flaw for their customers. It seems that all customers have had the same default password of 'welkom01'. Up to 140,000 customers had retained their default passwords. Once inside attackers could have found bank account and credit card numbers. KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security."
This discussion has been archived. No new comments can be posted.

Dutch ISP Discovers 140,000 Customers With Default Password

Comments Filter:
  • Verizon online (Score:5, Interesting)

    by Anonymous Coward on Thursday July 05, 2012 @05:48PM (#40557577)

    had to ban the password abc123 on thier ADSL network years ago..

    • Re: (Score:2, Funny)

      by Anonymous Coward

      I was there for that... I got cursed out that week by many a little old lady.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security.

      It's a shame KPN changed their passwords for them. They were about to learn a valuable lesson!

      The reasonably intelligent people only had to hear about one instance of fraud, one example of ID theft in the news, to understand that they need a decent password. Idiots don't learn the easy way like this. Idiots only ever learn the hard way. I don't agree with that but I respect their right to learn any way they want to. It's called freedom.

      • I kind of disagree. People shouldn't be unnecessarily punished for stupidity (unless it's something that harms other people). A much better idea would have been simply to have each user have some random password which they get printed at home.
      • by CastrTroy (595695)
        I bet that most of these people never even knew there was an account to begin with. If it had credit card and banking details, I'm pretty sure that the password refers to the online billing system, and not something like the PPPoE password. Most of the people probably never even logged into their account if they were even aware they had one. Basically, the ISP was completely at fault here for setting up the default password for every account to be exactly the same.
      • by mcgrew (92797) *

        It's a shame KPN changed their passwords for them. They were about to learn a valuable lesson!

        I doubt it. They'd just become part of a botnet.

        The reasonably intelligent people only had to hear about one instance of fraud, one example of ID theft in the news, to understand that they need a decent password.

        You confuse ignorance with stupidity. They heard about ID theft, they heard about phishing, they don't hear about weak passwords.

    • by matazar (1104563)

      Bell Canada used to use this password and no one would ever change it. It was kind of funny being able to tell people what their password was. They've recently made slightly better passwords, but it was a good couple of years of abc123.

      • An even bigger ISP in the Netherlands uses/used the very same password for people who forgot their original more secure password.
  • by Anonymous Coward

    Those filthy communists enabling others to pirate through their connection would be in jail now.

  • It's the ISP's fault (Score:5, Informative)

    by wickerprints (1094741) on Thursday July 05, 2012 @05:49PM (#40557605)

    It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

    • by Anonymous Coward on Thursday July 05, 2012 @05:52PM (#40557657)

      Further, why was the credit/bank information displayed in full? Isn't that stuff usually masked out? I think all services that I subscribe too usually just show the last 3-4 numbers of the account information, for this reason (in case login credentials are stolen).

      • by Anonymous Coward

        That one is easy. In the Dutch system, they don't use security by obscurity when it comes to bank account numbers, it's like an address. Most payments above a hand full of euros are done by bank transfer (cheques were phased out decades ago, credit cards are rarely used). You would have trouble paying for things or receiving payments if your bank account number was a secret there.

    • by pipatron (966506)

      They are not responsible for their hopefully grown-up customers that are all obviously trusted by the banks to have credit cards.

      Sure, they should have known better than to trust users to change their passwords, but some people need to learn the hard way. At most, this means a few weeks of sleepless nights for their PR-department.

      • by tlhIngan (30335) <slashdot AT worf DOT net> on Thursday July 05, 2012 @06:13PM (#40557895)

        They are not responsible for their hopefully grown-up customers that are all obviously trusted by the banks to have credit cards.

        Sure, they should have known better than to trust users to change their passwords, but some people need to learn the hard way. At most, this means a few weeks of sleepless nights for their PR-department.

        OTOH, I wonder if all 140,000 customers who used the default passowrd actually USED the account? It sounds like it was a customer service portal thing - not something they normally login with. For those people, they probalby managed their account by phone rather than thinking to log into the customer service potral and do all their changes there?

      • by ShanghaiBill (739463) on Thursday July 05, 2012 @06:23PM (#40557995)

        but some people need to learn the hard way.

        Should car companies remove seat belts and airbags, so people can "learn the hard way" to avoid accidents?
        Or maybe we should be responsible professionals and design secure systems and appropriate procedures, instead of blaming our customers for our own incompetence.

        • by stanlyb (1839382)
          Actually, your analogy should be: Should car companies use default password for the ignition key?
        • by pipatron (966506)

          No, they should keep the seat belts. They should keep letting people decide when to use them, and they should not be responsible for any deaths that occur if someone did not use them.

          Like letting people change their password as they should if they want to remain safe, or leave them if they want to get hurt badly in case someone hits them.

          • To refine that analogy a bit... it would be like having seat belts that in this particular car model required you to separately remember to enable the automatic locking mechanism so that it works in accidents.
    • by Anonymous Coward

      It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

      Definitely true!! Let's face it whilst us geeks will roll our eyes and groan at the stupidity of the user, we should remember that most people don't choose or want to care about complexity of security. A lock and key is a nice easy physical reminder in our daily routine that we need to keep the bad guys out, but passwords are not intuitive to our lifestyle yet. Until people become accustomed to the digital set of keys, or it becomes as easy as a set of keys, then people will rely on default passwords.

      So yes

    • by geekmux (1040042)

      It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

      Exactly. And when I read "major security flaw", I laughed, trying to figure out what is the larger "flaw" here. The rather blatant and obvious shortcomings you've pointed out, or the fact that there are at least 100,000 people in Holland who don't know why they should ever change their default password.

    • On a system I manage we have rules in place to prevent the reuse of passwords, simple ones like you cannot use a password you used the previous 31 times and such with limits on how often you can change them.

      Well unless we put a limit of changes that were beyond a day you can guess what many users figured out to do... Forcing users to change passwords doesn't always end up with the results you expect.

      Oh, mixed case and numbers... don't even get me started. Surveyed users on how they handled that and its

  • Once upon a time... (Score:5, Interesting)

    by Mr. Firewall (578517) on Thursday July 05, 2012 @05:50PM (#40557617) Homepage

    When I was a sysadmin at a certain Bible college known for its weak security, I collected the password hashes of the students & faculty and ran them through a cracker (John the Ripper if I remember correctly), then sent out a mass email with the decrypted passwords, sorted by the amount of time it took to crack them.

    Yeah, the majority of them were cracked within five seconds. Of course, I omitted the information on just whose passwords they were.

    Dunno if it resulted in anyone actually doing something about their passwords though.

    • OK, am I to understand you published actual passwords? That never works to motivate the technically challenged.

      • Yes, I published them. One year later.

        • by Anonymous Coward

          Why the bleep did you do that? If they had a password that could be cracked in a few thousand guesses, it'd take under a second to brute-force it from the hash - but an outside attacker trying to log in should be stopped after three guesses if the sysadmin is halfway competent. Unless you're expecting to leak the hashes, you're solving the wrong problem - and, in the process, making the real problem worse.

          • by Teun (17872)
            Why do you ask? It was a Bible College where everyone daily recites the 10 commandments not excluding the 8th. and 10th, no need for passwords!
          • Your error is in assuming that any & all attackers would be from the outside.

            Not a safe assumption.

  • welcome01
    willkommen01
    aloha01
    benvenuto01

  • They also do not believe anyone has actually been burglarized since discovering this weak spot in security.

    Sure, that's believable. It'd be bad if googling 'welkom01' turned up hits on free password sites but that'll probably never happen.

    What's particularly humorous is forcing google to not include pages from the last week. One of the first pages is this gem from 2010.

    http://www.autoitscript.com/forum/topic/118849-import-csv-file-to-add-users-in-ad/ [autoitscript.com]

    Almost looks like the ISP's admin asking how to make it so new accounts get the right password in a scripted fashion. There are a few other admin type questions

  • burglarized??? (Score:4, Insightful)

    by philofaqs (668524) on Thursday July 05, 2012 @06:02PM (#40557765)
    For heaven's sake what's wrong with burgled?
    • Better than buggered, I suppose...
    • by Dishevel (1105119)

      I would rather be burgled than buggered.

    • by Inda (580031)
      And someone who does the deed is a burglarizer.

      Why couldn't they have picked French to bastardize (sic)?
  • by Anonymous Coward on Thursday July 05, 2012 @06:06PM (#40557813)

    All offending passwords were changed to "welkom02." Crisis averted!

  • by bitt3n (941736) on Thursday July 05, 2012 @06:09PM (#40557835)
    "We have discovered you have been using default password 'welkom01'. This represents a grave security risk. Therefore, we have changed your password to 'welkom02'."
  • It's twice as bad as the summary makes it sound: "It seems that the Usernames were easy to guess because it was comprised of the persons zipcode + street address."
    But at least then it'd have to be targetted. What isn't clear is what the login actually does. The article says it was the "account management" login. So to use Time Warner as a comparison, I assume that means they would change the ISP-based e-mail account passwords from there and read their e-mail via a webmail interface not to mention reset
  • Damn! (Score:5, Funny)

    by evenmoreconfused (451154) on Thursday July 05, 2012 @06:13PM (#40557889)

    Just lost about 140K bots on my net...

  • Cox isn't much, but I don't actualll get a default account, except for email, and that is just email.

    My account info is not necessary to use service, just to automate payment, and I have to set up everything, no defaults.

    My real concern is how this ISP determined using defaults made any sense. Really?

  • by Amarantine (1100187) on Thursday July 05, 2012 @06:53PM (#40558243)

    KPN didn't discover it themselves. An ICT company did (accidentally even), and reported the flaw to an IT site (webwereld.nl) instead of contacting KPN directly.

    Dutch link: http://tweakers.net/nieuws/82955/kpn-maakt-blunder-met-standaardwachtwoord-z-adsl-accounts.html [tweakers.net] and http://webwereld.nl/nieuws/111057/140-000-kpn-adsl-accounts-lek-door-welkom01-fail.html [webwereld.nl]

  • Sounds like users have had it with passwords...

      or is the problem still between the keyboard and the chair?

  • The ISP replaced it with another weak password? What? welkom02? Why not a strong password? Strong passwords do not have to be hard to remember or type, see: http://xkcd.com/936/ [xkcd.com]

    • by wvmarle (1070040)

      Thanks. Now everyone please change your password from "welkom01" to "correcthorsebatterystaple" and we all have become a lot more secure!

  • welkom01 and welkom02 have to be great passwords. The (Dutch) company I work for gave me an internal SVN user whose password I can't change. However, they require me to change it every month (because they're very security-conscious). Since I can't do this, the account gets locked every time. When this happens, I just call the helpdesk. They will then reset the password for me. They usually provide me a new password like 'welkom01'. This, and the fact that 140,000 other people are using it, proves to me that
  • What are the odds that they've changed 140 000 passwords to "sukkel01" now, I wonder.
  • In Holland, a major ISP (KPN) has found a .

    First sentence, guys. A grammatical mistake in the First. Fucking. Sentence.

    The 9 year olds in the special school I tech for can construct full sentences. They can also read through their work and pick out mistakes. You, as paid editors, have no excuse. I don't care if this is a missing angle bracket on a tag or other technical issue; It's inexcusable.

The amount of weight an evangelist carries with the almighty is measured in billigrahams.

Working...