Is WeWork, the sprawling chain of coworking spaces expanding across the country and abroad, a tech company? WeWork is sure scrambling to find reasons to claim so, because “tech” is apparently some kind of magic word that it thinks will justify its $47 billion valuation. Its critics have instead characterized WeWork as a traditional real estate company in the risky business of signing cheap long-term leases and flipping them to customers as more expensive short-term leases, which would leave it scrambling to pay off its $47.2 billion in liabilities in the event of a downturn, and which has masked that it is a house of cards with cult-like branding and by just saying the word “tech” over and over.
As WeWork continues burning through billions, here’s some evidence for the latter bucket.
According to a Wednesday report in Fast Company, WeWork has been using “an easy-to-guess password shared at locations across the U.S. and abroad”—and specifically the kind of password that comes up on articles with titles like “Top 10 Worst Passwords.” (Fast Company did not write what the password actually is, but a number of Twitter users over the course of the past few years have alleged it is “P@ssw0rd.”)
Fast Company also found that WeWork configured its wifi networks to use WPA2 Personal, an older wifi standard that does not have robust security safeguards. This means that anyone with access to the password, which Fast Company reports was in widespread use at WeWork’s 528 global sites, could potentially use it for malicious means:
Newer versions of Wi-Fi security include encryption and authentication safeguards that make the quality of a password less important. WeWork, however, uses a version without these safeguards, originally designed for home Wi-Fi networks and called WPA2 Personal. That’s a dangerous scenario, according to the Wi-Fi Alliance, the body that oversees development and implementation of Wi-Fi standards. “Possession of the password for a WPA2 network provides the added ability to decrypt traffic from any client within range,” writes the Wi-Fi Alliance in an email to Fast Company.
One risk, according to Fast Company, is that WeWork’s poor security could facilitate man-in-the-middle attacks. A hacker could simply set up imposter Wi-Fi networks with name “WeWork” and the password in question. While HTTPS encryption might prevent an attacker from directly scooping up info being sent between users and cloud services like Gmail, connecting to that network could put those users at risk of being redirected to phishing sites or having personal information stolen, like browser cookies storing login credentials for other sites or files on their computers.
Fast Company’s investigation found the weak password/WPA2 Personal combination in effect at seven San Francisco WeWork sites, finding evidence it had also been used at its spaces in Los Angeles, Washington, D.C., New York City, Chicago, Palo Alto, Austin, and London. The site also reported that when originally contacted about the issue by WeWork customer and Digital Operatives CEO Nate Landon, WeWork’s IT team tried to sell Landon on a $195-a-month private connection with enhanced security. In a statement to Fast Company, WeWork doubled down on that option (which Landon told the site he didn’t trust to set up in a “secure manner”):
WeWork takes the security and privacy of our members seriously and we are committed to protecting our members from digital and physical threats. In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID, or a dedicated end-to-end physical network stack.
WeWork also told Fast Company it was in the process of introducing 802.1x authentication to its network, but a source told the site that due to delays WeWork won’t be rolling it out until at least Q1 2020. Tech, baby!