Equifax reportedly used 'admin' as password in Argentina

Add Argentina to the list of countries potentially affected by sloppy Equifax security.

Sean Hollister Senior Editor / Reviews

When his parents denied him a Super NES, he got mad. When they traded a prize Sega Genesis for a 2400 baud modem, he got even. Years of Internet shareware, eBay'd possessions and video game testing jobs after that, he joined Engadget. He helped found The Verge, and later served as Gizmodo's reviews editor. When he's not madly testing laptops, apps, virtual reality experiences, and whatever new gadget will supposedly change the world, he likes to kick back with some games, a good Nerf blaster, and a bottle of Tejava.

See full bio

Sean Hollister

Sept. 13, 2017 1:53 p.m. PT

2 min read

Should you trust credit monitoring company Equifax to keep your personal data safe? The answer to that question may be getting clearer. Not only did the firm suffer one of the largest data breaches in history -- 143 million people's names, social security numbers, home addresses and more hacked, click here for more info -- but experts keep managing to poke holes in the company's security.

The latest comes from Argentina, where Equifax reportedly used the word "admin" as both the username and password for an employee web portal designed to protect both employees and customers who submitted credit disputes. (It doesn't take Edward Snowden to know that's a bad idea.)

According to cybersecurity expert Brian Krebs -- perhaps best known for his role in revealing the 2013 Target data breach that resulted in the theft of around 40 million credit card numbers -- the Argentinian site was secured so poorly that anyone could theoretically impersonate an employee by simply reading their username and password off the site, or even add themselves as a new "employee" to the database.

Perhaps worse, they would have been able to read some 14,000 credit dispute complaints from ordinary Argentinian citizens, which were stored in plain text instead of being encrypted. After being contacted by Krebs about the vulnerability, the company took the portal down.

Equifax wouldn't fact-check specific details for us, but provided this statement:

We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cybersecurity event that occurred in the United States last week. We immediately acted to remediate the situation, which affected a limited amount of public information strictly related to consumers who contacted our customer service center and the employees who managed those interactions. We have no evidence at this time that any consumers, customers, or information in our commercial and credit databases were negatively affected, and we will continue to test and improve all security measures in the region.

Other recent reported Equifax screw-ups include: A tool to check if you've been hacked that didn't seem to work, and a credit-monitoring site that itself appears to be hackable.

On Monday, two US senators demanded that Equifax answer detailed questions about how, precisely, Equifax was hacked, how long the company was aware, and to shed light on three Equifax executives who sold stock after the hack was discovered but before it was made public.