KPN closed a self-service portal for corporate ADSL customers on Tuesday after it discovered that 120,000 of its 180,000 business clients were still using default passwords, all variants of "welkom01," a company spokesman said Friday.
The security vulnerability could have given unauthorized persons easy access to the corporate accounts, for which the corresponding usernames could be easily derived from the businesses' street addresses.
KPN said it was unaware that the vast majority of its 180,000 ADSL business clients were still using a default password for the online Customer Self Care portal.
Dutch IT news site Webwereld alerted KPN on Tuesday after a tip from Robert Schagen of Robert 4U IT, who discovered the security leak.
By continuing to use default passwords such as "welkom01," "welkom1" or "welkom001", customers risked unauthorized persons gaining access to their accounts, KPN said.
Corporate clients were provided with a default password to gain access to the online self care portal as a standard practice, but KPN did not make it mandatory to change the password, and so a lot of their customers never did.
Businesses' user names consist of their zip code and street number, said KPN spokesman Steven Hufton. And a list of KPN's corporate customers could easily be obtained by querying the database of the regional Internet registry, RIPE NCC, Webwereld reported.
With access to an account on the portal, it is possible to change a customer's contact email address and connection speed and turn services on and off, Hufton said. Besides that, the portal also contains bank account numbers and it is possible to change the password, giving malicious persons the opportunity to take over the account, Webwereld wrote.
"This is unacceptable," said Eddy Willems, security evangelist at G Data. KPN should have made it mandatory for users to change the default password when the account was activated, he said, calling KPN's use of default passwords a "very big security risk."
Other big companies have had similar problems in the past, said Willems, although it's happening less often because companies are becoming more and more aware of the importance of security. KPN's problem was probably an historical one, he said, adding that at the time of the implementation probably nobody thought about the consequences. While this is an easy problem to solve, companies should think of good security before they implement a system, and not afterwards, Willems said.
There was no indication that any unauthorized person ever gained access to a corporate account, KPN said. The portal was taken offline immediately after the company was notified on Tuesday afternoon and KPN reset the password of 140,000 accounts. Besides the 120,000 customers that were using the default passwords KPN discovered that about 20,000 corporate accounts reused their login name as a password. Customers were alerted via an email that explained the situation and provided instructions for creating a new, safe password, KPN said. The portal was put back online around midday on Thursday, the company added.