KPN closes portal after two-thirds of corporate customers found using default password

Use of the default password, the same for many users, combined with an easily-guessed username, left corporate data at risk

KPN closed a self-service portal for corporate ADSL customers on Tuesday after it discovered that 120,000 of its 180,000 business clients were still using default passwords, all variants of "welkom01," a company spokesman said Friday.

The security vulnerability could have given unauthorized persons easy access to the corporate accounts, for which the corresponding usernames could be easily derived from the businesses' street addresses.

KPN said it was unaware that the vast majority of its 180,000 ADSL business clients were still using a default password for the online Customer Self Care portal.

Dutch IT news site Webwereld alerted KPN on Tuesday after a tip from Robert Schagen of Robert 4U IT, who discovered the security leak.

By continuing to use default passwords such as "welkom01," "welkom1" or "welkom001", customers risked unauthorized persons gaining access to their accounts, KPN said.

Corporate clients were provided with a default password to gain access to the online self care portal as a standard practice, but KPN did not make it mandatory to change the password, and so a lot of their customers never did.

Businesses' user names consist of their zip code and street number, said KPN spokesman Steven Hufton. And a list of KPN's corporate customers could easily be obtained by querying the database of the regional Internet registry, RIPE NCC, Webwereld reported.

With access to an account on the portal, it is possible to change a customer's contact email address and connection speed and turn services on and off, Hufton said. Besides that, the portal also contains bank account numbers and it is possible to change the password, giving malicious persons the opportunity to take over the account, Webwereld wrote.

"This is unacceptable," said Eddy Willems, security evangelist at G Data. KPN should have made it mandatory for users to change the default password when the account was activated, he said, calling KPN's use of default passwords a "very big security risk."

Other big companies have had similar problems in the past, said Willems, although it's happening less often because companies are becoming more and more aware of the importance of security. KPN's problem was probably an historical one, he said, adding that at the time of the implementation probably nobody thought about the consequences. While this is an easy problem to solve, companies should think of good security before they implement a system, and not afterwards, Willems said.

There was no indication that any unauthorized person ever gained access to a corporate account, KPN said. The portal was taken offline immediately after the company was notified on Tuesday afternoon and KPN reset the password of 140,000 accounts. Besides the 120,000 customers that were using the default passwords KPN discovered that about 20,000 corporate accounts reused their login name as a password. Customers were alerted via an email that explained the situation and provided instructions for creating a new, safe password, KPN said. The portal was put back online around midday on Thursday, the company added.

Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?