Current and former top executives at SolarWinds are blaming a company intern for a critical lapse in password security that apparently went diagnosed for years.
In 2019, an independent security researcher discovered the password in question, “solarwinds123,” on the public internet. The researcher warned the company that the leak had exposed a SolarWinds file server.
Several US lawmakers ripped into SolarWinds for the password issue Friday, in a joint hearing by the House Oversight and Homeland Security committees.
“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” said Rep. Katie Porter. “You and your company were supposed to be preventing the Russians from reading Defense Department emails!”
Microsoft President Brad Smith, who was also testifying at Friday’s hearing, later announced there is no evidence that the Pentagon was actually affected by the Russian spying campaign. Microsoft is among the companies that has led the forensic investigation into the hacking campaign.
Smith told Porter “there is no indication, to my knowledge, that the DoD was attacked”.
SolarWinds representatives told lawmakers Friday that as soon as the password issue was reported, it was corrected within days.
However, it is still unclear what role, if any, the leaked password may have played in enabling suspected Russian hackers to spy on several federal agencies and businesses in one of the most serious security breaches in US history.
Stolen credentials are one of 3 potential avenues of attack SolarWinds is investigating as it tries to reveal how it was first compromised by the hackers, who went on to hide malicious code in software updates that SolarWinds then pushed to some 18,000 customers, including many federal agencies.
SolarWinds CEO Sudhakar Ramakrishna said other theories SolarWinds is exploring include the brute-force guessing of company passwords, as well as the possibility the hackers could have entered via compromised third-party software.
The password issue was “a mistake that an intern made,” former SolarWinds CEO Kevin Thompson said, confronted by Rep. Rashida Tlaib.
“They violated our password policies and they posted that password on an internal, on their own private Github account,” Thompson said. “As soon as it was identified and brought to the attention of my security team, they took that down.”
Neither Thompson nor Ramakrishna explained to lawmakers why the company’s technology allowed for such passwords in the first place.
Ramakrishna later testified that the password had been in use as early as 2017.
“I believe that was a password that an intern used on one of his Github servers back in 2017,” Ramakrishna told Porter, “which was reported to our security team and it was immediately removed.”