Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Vodafone's BreachA Painful Lesson In Shared Passwords

Vodafone's embarrassing breach should serve as a wake-up call for enterprises that also engage in the dangerous practice of credential-sharing

The Australian operation of the wireless carrier Vodafone is feeling the full range of consequences from an information security breach--from notifying customers to firing employees to facing down regulators. And it's all because of a common but unsafe practice: Allowing shared passwords within enterprise accounts.

Vodafone officials were red-faced in January when they were informed by a journalist that she was able to log into the carrier's customer database using legitimate credentials. Australian Privacy Commissioner Timothy Pilgrim announced an investigation into the breach, and Vodafone warned customers of the problem and fired a number of employees in connection with the matter.

Vodafone said it acted quickly to shut down improper access. CEO Nigel Dews assured the public that Vodafone had changed passwords across the board and implemented more stringent password policies, including more frequent changes.

Account credential sharing is hardly a one-off problem in any big company, says Adam Bosnian, executive VP with Cyber-Ark Software, a security vendor. He's seen it most in retail environments, if turnover's high and there's no easy way to create and delete accounts when people join or leave the company. So companies take the efficient but "inherently risky" approach of just using generic, shared accounts, he says.

Password sharing can be particularly troublesome with databases accessed by Web applications, such as the one that powers Internet access to Vodafone's customer database, warns Phil Lieberman, CEO of Lieberman Software. "What happens is that there are certain high-powered accounts that are used by applications and also by users--call them 'generic accounts' because they end up being shared," he says.

One problem with such an account is there's no audit trail--you don't know if an app automatically accessed it, or a particular person did. Too many companies allow the practice to continue. IT staff in other companies could face the same fate as those at Vodafone who were fired should their sloppy practices be exposed.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...