Telecom portal shut after 70% of customers found to be using default passwords

Telecom portal shut after 70% of customers found to be using default passwords

Summary: Top Dutch telecom firm shuts its customer self-service portal after discovering users not bothering to change default password.

SHARE:
TOPICS: Security, Privacy
3

The Netherlands leading telecommunications company closed its customer self-service management portal Thursday after discovering that nearly 70% of its users had not changed the default password after they opened their accounts.

KPN said 120,000 of the 180,000 users of its Business Z-ADSL self-care portal were using the password “welkom01,” which is automatically set when an account is created. Another 20,000 users had user names that were also their passwords.

KPN customers were not required to change the default password, even though the portal was used for account management, including contact details, bank account numbers, and  subscription services. The portal also allowed users to change their passwords, an option hackers could have used to easily hijack accounts.

It is not uncommon for computer hardware to ship with default passwords already installed, but online services typically let users create their own usernames and passwords.

The situation was reported to KPN by the IDG Netherlands web site Webwereld, which was tipped off by Robert 4U IT, an IT services firm, and a subsequent story was posted by IDG’s ComputerWorld.

The company said it was not aware of the issue and praised Webwereld for informing KPN of the situation. KPN said the portal was immediately “slammed shut” and registration procedures were altered to make the site more secure.

The company said no accounts were hacked, but all 140,000 were automatically reset. Customers were sent an email telling them how to reset their passwords.

The site is now back online and KPN apologized to its customers.

Topics: Security, Privacy

About

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Que? Where were the password business rules implemented?

    Like:
    - Force immediate password change
    - Password cannot be similar to username
    and the rest.

    The business manager who approved the site needs re-education!!
    Patanjali
  • Where were the password rules implemented?

    Like:
    - password must be changed immediately
    - password cannot be similar to the username
    and the rest!

    The business manager who approved the site needs re-education!!
    Patanjali
    • Retyped it when the first one didn't show!!

      --
      Patanjali