The SolarWinds drama just won’t stop. It’s a tale of Russian hackers’—and potentially Chinese hackers’—alleged email spying, and a gaping hole of security vulnerabilities that seems to get worse as more details come to light. Now, we can add yet another twist to the story: the laughably insecure password “solarwinds123.” In this last case, SolarWinds would like you to know that it was the intern’s fault.
In a joint hearing on Friday, former SolarWinds CEO Kevin Thompson told representatives from the House Oversight and Homeland Security Committees that the “solarwinds123” password, which protected a server at the company, was “related to a mistake an intern made, and they violated our password policies.” Thompson explained to lawmakers that the intern had posted the password on their own private GitHub account.
“As soon as it was identified and brought to the attention of my security team, they took that down,” Thompson said.
The password security problem dates back to at least 2018, although testimony provided by SolarWinds on Friday indicates that it could go back even further. In December, security researcher Vinoth Kumar told Reuters that he warned SolarWinds that anyone could access its update server using “solarwinds123.” CNN reported that the password had been accessible online since at least June 2018.
However, at the hearing, Sudhakar Ramakrishna, SolarWinds’ current CEO, told lawmakers that the “solarwinds123” password was used on one of the intern’s servers back in 2017.
According to CNN, Kumar showed SolarWinds that the password allowed him to log in and deposit files on its server. This was a way for any hacker to upload malicious programs to SolarWinds, the researcher stated.
“I’ve got a stronger password than ‘solarwinds123' to stop my kids from watching too much YouTube on their iPad,” Rep. Katie Porter, democrat of California, told SolarWinds officials at the hearing.
At this point though, it’s still uncertain whether the password leak played a role in the SolarWinds hack, CNN noted, which is believed to be the largest foreign intrusion campaign in U.S. history. This month, White House national security adviser Anne Neuberger stated that approximately 100 different companies and nine federal agencies, including the one that oversees the country’s nuclear weapons, had been compromised by foreign hackers.
The government is currently investigating the hack, and it’s still unclear what data hackers could have gotten access to. The investigation is expected to take several months. Kevin Mandia, CEO of FireEye, the cybersecurity company that discovered the hack, has said we may never know the scope of the attack.
“The bottom line: We may never know the full range and extent of damage, and we may never know the full range and extent as to how the stolen information is benefitting an adversary,” Mandia said.
Nonetheless, we do know one of the causalities of the attack: a poor unnamed intern that SolarWinds threw under the bus.