Current and former top executives at the Texas-based software services firm SolarWinds are blaming a company intern for a critical lapse in password security that went unnoticed for years.
The supposedly leaked password was "solarwinds123" and was discovered back in 2019 on public internet by an independent security researcher Vinoth Kumar. According to Kumar, anyone could access SolarWinds’ update server by using the password "solarwinds123". The said password had reportedly been available on a GitHub repository since June 17, 2018 before SolarWinds addressed the misconfiguration on November 19, 2019.
The issue over the inadequate password security at SolarWinds was raised during a joint hearing by the House Oversight and Homeland Security committees.
"I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad," said Rep. Katie Porter. "You and your company were supposed to be preventing the Russians from reading Defense Department emails!"
SolarWinds representatives told lawmakers that as soon as the password issue was reported, it was addressed within days.
"I believe that was a password that an intern used on one of his Github servers back in 2017, which was reported to our security team and it was immediately removed," SolarWinds CEO Sudhakar Ramakrishna said.
The statement was echoed by former SolarWinds CEO Kevin Thompson, who also said that the password issue was "a mistake that an intern made."
"They violated our password policies and they posted that password on an internal, on their own private Github account," Thompson said. "As soon as it was identified and brought to the attention of my security team, they took that down."
However, nor Thompson nor Ramakrishna did not explain how such a week password was allowed in the first place.
Last month, Deputy National Security Advisor Anne Neuberger said that nine government agencies and 100 private sector companies have been breached in the SolarWinds hack, which is being described as one of the most sophisticated and well-planned operations. The attack involved tainted updates for Orion Software Platform containing a malicious implant designed to compromise the company's customers.