Administrator password exposed in public URL for over six months

Incident Date: 2003
Incident Location: Minneapolis MN USA

An administrator account name and password for a Web site operated by Carmichael Lynch was inadvertently published within a hyperlink in a job listing Web advertisement. The company is a public relations and advertising firm with several big-name clients. The advertisement containing the password may have allowed unauthorized individuals to gain access to internal files for more than six months.

Among the internal documents exposed were customer databases owned by two clients, Porsche and American Standard. These included a 13.5MB database containing names, addresses, vehicle information, and other details on nearly 75,000 luxury car and SUV owners. The mistake also provided access to a spreadsheet containing contact information, email addresses, and registration passwords for nearly 12,000 people who had registered with the American Standard Web site.

An anonymous individual on the Internet said he discovered the problem in June of 2002 and notified Carmichael Lynch. He went public in January of 2003 with the exposed password finding because the company failed to fix the mistake.

Carmichael Lynch spokeswoman Sara Mulder said that the company has no evidence that unauthorized visitors took advantage of the leaked account and password. Human resources employees used the account name and password to upload job listings. She blamed the use of Microsoft’s FrontPage Web publishing software on embedding "unwanted code, creating that loophole." Mulder confirmed that Carmichael Lynch learned about the flaw in June of 2002, but said the company thought it had solved the problem.


Story Sources

Title: Help Wanted: Steal This Database
Author: Brian McWilliams
Date: 1/6/2003
Publication: Wired Magazine
Publication Location: CA USA
Publication URL: http://www.wired.com/news/infostructure/0,1377,57066,00.html


Do you have additional information to contribute regarding this story? If so, please email siteupdates@passwordresearch.com with the details and source.

<-- Back to Authentication Story Index





[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com