[BreachExchange] Orvis.com Exposed Hundreds of Internal Passwords on Pastebin.com

Tue Nov 12 09:21:34 EST 2019

https://www.technadu.com/orvis-com-exposed-hundreds-internal-passwords-pastebin/84732/

Orvis.com exposed credentials on Pastebin, as one of their
collaborators posted them twice there.
The company officially responded that the credentials have already
expired, but the discovering firm thinks otherwise.
The passwords concerned encryption certificates, routers, servers, and
even a safe’s lock combination.

According to a report by Krebs on Security, Orvis.com has leaked a
large number of passwords that were used internally by posting them on
Pastebin.com by mistake. The credentials concern backend management,
firewall administration, router settings, and even provided access to
database servers. Orvis.com is an online retailer of clothes, fishing
gear, and hunting equipment, and its high quality and “classic”
product styling have won them a reputable position in the market. The
company operates 69 retail stores and 28 outlets in the U.S. and the
UK, while they employ 1700 people.

The first to discover the blunder was a security research firm called
“Hold Security”, which tipped Krebs a couple of weeks ago. The
researcher then contacted Orvis, and they responded immediately by
acknowledging their mistake and removing the Pastebin. As they told
Krebs then, the paste had only been exposed for a day and contained
old credentials that were already expired. As the Orvis spokesperson
stated, most of the devices associated with the leaked credentials
have already been decommissioned. Upon hearing this, Hold Security
representatives expressed their disagreement.

As the Winsconsin firm publicly states, Orvis apparently posted two
lists on Pastebin. The first one was on October 4, and the second was
on October 22, so the exposure lasted for more than a single day. As
for the content, the usernames and passwords were in plaintext form
and constituted the keys to access the following:

-Antivirus engines
-Data backup services
-Multiple firewall products
-Linux servers
-Cisco routers
-Netflow data
-Call recording services
-DNS controls
-Orvis wireless networks (public and private)
-Employee wireless phone services
-Oracle database servers
-Microsoft 365 services
-Microsoft Active Directory accounts and passwords
-Battery backup systems
-Security cameras
-Encryption certificates
-Mobile payment services
-Door and Alarm Codes
-FTP credentials
-Apple ID credentials
-Door controllers
-Combination to a locked safe in the server room

Possibly, the exposure came from one of Orvis’ partners, as the
document was notated by “VT Technical Services”. This is a topic for
Orvis’ internal investigation, and what matters for us is the fact
that a big company has left the keys to their systems online for
anyone to grab. Malicious actors are monitoring repositories like
Pastebin and GitHub 24/7, so this leak was definitely noticed. It is
rare to see exposures without the inclusion of customer data, but with
all that was provided this time, actors could have compromised the
systems of Orvis to steal anything else they might be interested in.