Security experts from Hold Security, who examined Equifax’s South American operations after the company disclosed the breach, discovered that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by an easy-to-guess password combination: “admin/admin.”
Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. Furthermore, the “list of users” page featured a clickable button that anyone authenticated with the “admin/admin” username and password could use to add, modify or delete user accounts on the system.
The Equifax Argentina employee portal, known as Veraz or “truthful” in Spanish, went offline shortly after being contacted by KrebsOnSecurity.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now