Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin
Brian Krebs reports:
Orvis, a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on Pastebin.com for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers, KrebsOnSecurity has learned. Orvis says the exposure was inadvertent, and that many of the credentials were already expired.
What seems to be particularly problematic for Orvis at this point was the fact that they claimed the data were only exposed for a day, when a reliable source reported that the data had been exposed on more than on occasion. Orvis’s response to that information was…. less than ideal? Brian reports:
However, according to Hold Security founder Alex Holden, this enormous passwords file was actually posted to Pastebin on two separate occasions last month, the first being on Oct. 4, and the second Oct. 22. That finding was corroborated by 4iq.com, a company that aggregates information from leaked databases online.
Orvis did not respond to follow-up requests for comment via phone and email; the last two email messages sent by KrebsOnSecurity to Orvis were returned simply as “blocked.”
Read more on KrebsOnSecurity.com.