Telecom portal shut after 70% of customers found to be using default passwords

The Netherlands leading telecommunications company closed its customer self-service management portal Thursday after discovering that nearly 70% of its users had not changed the default password after they opened their accounts.

KPN said 120,000 of the 180,000 users of its Business Z-ADSL self-care portal were using the password “welkom01,” which is automatically set when an account is created. Another 20,000 users had user names that were also their passwords.

KPN customers were not required to change the default password, even though the portal was used for account management, including contact details, bank account numbers, and  subscription services. The portal also allowed users to change their passwords, an option hackers could have used to easily hijack accounts.

It is not uncommon for computer hardware to ship with default passwords already installed, but online services typically let users create their own usernames and passwords.

The situation was reported to KPN by the IDG Netherlands web site Webwereld, which was tipped off by Robert 4U IT, an IT services firm, and a subsequent story was posted by IDG’s ComputerWorld.

The company said it was not aware of the issue and praised Webwereld for informing KPN of the situation. KPN said the portal was immediately “slammed shut” and registration procedures were altered to make the site more secure.

The company said no accounts were hacked, but all 140,000 were automatically reset. Customers were sent an email telling them how to reset their passwords.

The site is now back online and KPN apologized to its customers.