The SolarWinds drama just won’t stop. It’s a tale of Russian hackers—and potentially Chinese hackers—alleged email spying, and a gaping hole of security vulnerabilities that seems to get worse as more details come to light. Now, we can add yet another twist to the story: the laughably insecure password “solarwinds123.” In this last case, SolarWinds would like you to know that it was the intern’s fault.
In a joint hearing on Friday, former SolarWinds CEO Kevin Thompson told representatives from the House Oversight and Homeland Security Committees that the “solarwinds123” password, which protected a server at the company, was “related to a mistake an intern made, and they violated our password policies.” Thompson explained to lawmakers that the intern had posted the password on their own private GitHub account.
“As soon as it was identified and brought to the attention of my security team, they took that down,” Thompson said.
The password security problem dates back to at least 2018, although testimony provided by SolarWinds on Friday indicates that it could go back even further. In December, security researcher Vinoth Kumar told Reuters that he warned SolarWinds that anyone could access its update server using “solarwinds123.” CNN reported that the password had been accessible online since at least June 2018.
However, at the hearing, Sudhakar Ramakrishna, SolarWinds’ current CEO, told lawmakers that the “solarwinds123” password was used on one of the intern’s servers back in 2017.
© Flipboard and it's respective authors