Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC took some time to examine the Equifax security in Argentina and what he found is not good. The giant credit reporting bureau was just in hot water for a breach that left millions of customers personal information exposed. Now it seems the company has failed to protect the safety of consumers information by leaving an employee portal accessible with the most guessable password possible, 'ADMIN'.
<img src="https://8ch.net/file_store/f1d88e928e88770a637cd4457d1d79d686ee9d445b4b82c337860de35d1f6ae3.png" style="max-height:640px;max-width:360px;">
<span style="margin-top:15px;rgba(42,51,6,0.7);font-size:12px;">Credit: Hold Security</span>
By entering 'ADMIN/ADMIN' as the password combination, they were able to get into an Equifax Argentina employee portal that was used to handle credit report disputes. Around 111 Equifax employees personal information was available along with their usernames and passwords. Although the passwords were obfuscated by a series of dots, they were easily visible in plain text by right clicking on the employee's profile and selecting "view source" to display the raw HTML code which makes up the site and shows the employee's full password. This isn't the worst of it, each employee's username was nothing but their own last name combine with their first initials, something very easy to guess.
<img src="https://8ch.net/file_store/b5447638307fb35217fa9d26f35d85e06a17f174df90a9fc11026dff8dbe47a6.png" style="max-height:640px;max-width:360px;">
<span style="margin-top:15px;rgba(42,51,6,0.7);font-size:12px;">Credit: Hold Security</span>
That's not all, it gets worse. From the home page of Equifax.com.ar where the employee portal is located, a listing of around 725 pages worth of complaints and disputes that had been filed by Argentinians at some point over the last decade when they contacted Equifax either by fax, phone or email to dispute the issues with their credit reports. These complaints held that person's DNI which is the Argentinian Equivalent of the Social Security Number, again in plain text. There were over 14,000 records such as these.
<i>On Twitter:</i>
<a href="https://twitter.com/ErvinProduction">@ErvinProduction</a>
Tips? Info? Send me a message!