Telecom portal shut after 70% of customers found to be using default passwords

Summary:Top Dutch telecom firm shuts its customer self-service portal after discovering users not bothering to change default password.

The Netherlands leading telecommunications company closed its customer self-service management portal Thursday after discovering that nearly 70% of its users had not changed the default password after they opened their accounts.

KPN said 120,000 of the 180,000 users of its Business Z-ADSL self-care portal were using the password “welkom01,” which is automatically set when an account is created. Another 20,000 users had user names that were also their passwords.

KPN customers were not required to change the default password, even though the portal was used for account management, including contact details, bank account numbers, and  subscription services. The portal also allowed users to change their passwords, an option hackers could have used to easily hijack accounts.

It is not uncommon for computer hardware to ship with default passwords already installed, but online services typically let users create their own usernames and passwords.

The situation was reported to KPN by the IDG Netherlands web site Webwereld, which was tipped off by Robert 4U IT, an IT services firm, and a subsequent story was posted by IDG’s ComputerWorld.

The company said it was not aware of the issue and praised Webwereld for informing KPN of the situation. KPN said the portal was immediately “slammed shut” and registration procedures were altered to make the site more secure.

The company said no accounts were hacked, but all 140,000 were automatically reset. Customers were sent an email telling them how to reset their passwords.

The site is now back online and KPN apologized to its customers.

Topics: Security, Privacy

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.