KPN closes portal after two-thirds of corporate customers found using default password

Use of the default password, the same for many users, combined with an easily-guessed username, left corporate data at risk

KPN closed a self-service portal for corporate ADSL customers on Tuesday after it discovered that 120,000 of its 180,000 business clients were still using default passwords, all variants of "welkom01," a company spokesman said Friday.

The security vulnerability could have given unauthorized persons easy access to the corporate accounts, for which the corresponding usernames could be easily derived from the businesses' street addresses.

KPN said it was unaware that the vast majority of its 180,000 ADSL business clients were still using a default password for the online Customer Self Care portal.

Dutch IT news site Webwereld alerted KPN on Tuesday after a tip from Robert Schagen of Robert 4U IT, who discovered the security leak.

By continuing to use default passwords such as "welkom01," "welkom1" or "welkom001", customers risked unauthorized persons gaining access to their accounts, KPN said.

Corporate clients were provided with a default password to gain access to the online self care portal as a standard practice, but KPN did not make it mandatory to change the password, and so a lot of their customers never did.

Businesses' user names consist of their zip code and street number, said KPN spokesman Steven Hufton. And a list of KPN's corporate customers could easily be obtained by querying the database of the regional Internet registry, RIPE NCC, Webwereld reported.

With access to an account on the portal, it is possible to change a customer's contact email address and connection speed and turn services on and off, Hufton said. Besides that, the portal also contains bank account numbers and it is possible to change the password, giving malicious persons the opportunity to take over the account, Webwereld wrote.

"This is unacceptable," said Eddy Willems, security evangelist at G Data. KPN should have made it mandatory for users to change the default password when the account was activated, he said, calling KPN's use of default passwords a "very big security risk."

Other big companies have had similar problems in the past, said Willems, although it's happening less often because companies are becoming more and more aware of the importance of security. KPN's problem was probably an historical one, he said, adding that at the time of the implementation probably nobody thought about the consequences. While this is an easy problem to solve, companies should think of good security before they implement a system, and not afterwards, Willems said.

There was no indication that any unauthorized person ever gained access to a corporate account, KPN said. The portal was taken offline immediately after the company was notified on Tuesday afternoon and KPN reset the password of 140,000 accounts. Besides the 120,000 customers that were using the default passwords KPN discovered that about 20,000 corporate accounts reused their login name as a password. Customers were alerted via an email that explained the situation and provided instructions for creating a new, safe password, KPN said. The portal was put back online around midday on Thursday, the company added.

Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?