The Netherlands leading telecommunications company closed its customer self-service management portal Thursday after discovering that nearly 70% of its users had not changed the default password after they opened their accounts.
KPN said 120,000 of the 180,000 users of its Business Z-ADSL self-care portal were using the password “welkom01,” which is automatically set when an account is created. Another 20,000 users had user names that were also their passwords.
KPN customers were not required to change the default password, even though the portal was used for account management, including contact details, bank account numbers, and subscription services. The portal also allowed users to change their passwords, an option hackers could have used to easily hijack accounts.
It is not uncommon for computer hardware to ship with default passwords already installed, but online services typically let users create their own usernames and passwords.
The company said it was not aware of the issue and praised Webwereld for informing KPN of the situation. KPN said the portal was immediately “slammed shut” and registration procedures were altered to make the site more secure.
The company said no accounts were hacked, but all 140,000 were automatically reset. Customers were sent an email telling them how to reset their passwords.
The site is now back online and KPN apologized to its customers.