Orvis, a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on Pastebin.com for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers, KrebsOnSecurity has learned. Orvis says the exposure was inadvertent, and that many of the credentials were already expired.
Based in Sunderland, VT. and founded in 1856, privately-held Orvis is the oldest mail-order retailer in the United States. The company has approximately 1,700 employees, 69 retail stores and 10 outlets in the US, and 18 retail stores in the UK.
In late October, this author received a tip from Wisconsin-based security firm Hold Security that a file containing a staggering number of internal usernames and passwords for Orvis had been posted to Pastebin.
Reached for comment about the source of the document, Orvis spokesperson Tucker Kimball said it was only available for a day before the company had it removed from Pastebin.
“The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones,” Kimball said. “We are leveraging our existing security tools to conduct an investigation to determine how this occurred.”
However, according to Hold Security founder Alex Holden, this enormous passwords file was actually posted to Pastebin on two separate occasions last month, the first being on Oct. 4, and the second Oct. 22. That finding was corroborated by 4iq.com, a company that aggregates information from leaked databases online.
Orvis did not respond to follow-up requests for comment via phone and email; the last two email messages sent by KrebsOnSecurity to Orvis were returned simply as “blocked.”
It’s not unusual for employees or contractors to post bits of sensitive data to public sites like Pastebin and Github, but the credentials file apparently published by someone working at or for Orvis is by far the most extreme example I’ve ever witnessed.
For instance, included in the Pastebin files from Orvis were plaintext usernames and passwords for just about every kind of online service or security product the company has used, including:
-Data backup services
-Multiple firewall products
-Call recording services
-Orvis wireless networks (public and private)
-Employee wireless phone services
-Oracle database servers
-Microsoft 365 services
-Microsoft Active Directory accounts and passwords
-Battery backup systems
-Mobile payment services
-Door and Alarm Codes
-Apple ID credentials
By all accounts, this was a comprehensive goof: The Orvis credentials file even contained the combination to a locked safe in the company’ server room.
The only clue about the source of the Orvis password file is a notation at the top of the document that reads “VT Technical Services.”
Holden said this particular exposure also highlights the issue with third parties, as the issue most likely originated not from Orvis staff itself.
“This is a continuously growing trend of exposures created not by the victims but by those that they consider to be trusted partners,” Holden said.
It’s fairly remarkable that a company can spend millions on all the security technology under the sun and have all of it potentially undermined by one ill-advised post to Pastebin, but that is certainly the reality we live in today.
Long gone are the days when one could post something for a few hours to a public document hosting service and expect nobody to notice. Today there are a number of third-party services that regularly index and preserve such postings, regardless of how ephemeral those posts may be.
“Pastebin and other similar repositories are constantly being monitored and any data put out there will be preserved no matter how brief the posting is,” Holden said. “In the current threat landscape, we see data exposures nearly as often as we see data breaches. These exposures vary in scope and impact, and this particular one is as bad as they come without specific data exposures.”
If you’re responsible for securing your organization’s environment, it would be an excellent idea to create some tools for monitoring for your domains and brands at Pastebin, Github and other sites where employees sometimes publish sensitive corporate data, inadvertently or otherwise. There are many ways to do this; here’s one example.
Have you built such monitoring tools for your organization or employer? If so, please feel free to sound off about your approach in the comments below.
WOW! Talk about having the keys to the Kingdom!
Thanks again for the great reporting Brian! I am certainly going to look into the keyword monitoring on Pastebin and GitHub.
That ‘Rookie’ mistake is going to cost them a lot!
Thanks for the reporting, Brian!
It’s not always a rookie mistake… Complacency, convenience or even the rush/pressure to get things done quickly/agilely are also common contributors.
Wow! Just WOW!! Thanks Brian for publishing this; one of the most extraordinary stories to date!! Who knew a company could stab itself in the back in such a way!
I hope they get their security ironed out, but there could also be a silver lining to this incident. I’ve never heard of this sports supply house, even though it is so old that even Moses might have done business with them. The media exposure may even make sportsmen aware of this company and prod them to investigate further.
I suppose it is better to try a different company like this AFTER such an incident, when you hope they learned a lesson. I am curious about them, and will search online immediately after posting to see if I could user some of their products.
Thanks again to KOS for doing the hard gum shoe work to give us the story!
Well, they probably heard that using a cloud-based password manager makes things easy. And someone had a “brilliant” idea, why pay for it? Pastebin is free and it’s easy to access from everywhere, right? Bingo!
PS. And what better way to make this issue go away than to block Krebs’ email. Bingo, twice!
A well-configured and comprehensively implemented privileged access management system (such as CyberArk) would have gone a long way to making all if the information contained in that file completely useless.
In fact, with said PAM solution, the file wouldn’t have needed to exist in the first place.
As a longtime customer who has purchased items online and in their brick-and-mortar stores over the past few decades (but not in recent years), I’m at least happy to know that type of customer account information wasn’t obviously compromised.
I think you are making a huge leap of faith on your assumption. You have to trust the company is not lying about the usernames and passwords already being expired prior to the exposure going into the public eye. If they hadn’t then with the sheer level of access they would have had means theoretically they got to the database and found your transactions.
As I noted, I haven’t purchased anything from them online in quite awhile — if the username and account password have been compromised somehow, that information will (with Brian’s story and his normal follow-up efforts) come to light soon enough.
Memo to Orvis. Being privately held does make it easier to block relentless investigators like BK because there are no public shareholders who need an explanation for the behavior. On the other hand, a (long shot, it’s true) potential customer like myself would only buy your products for cash in a brick and mortar store because your behavior shows that you won’t even own up if your make an IT mistake.
At least having used pastebin as a password manager makes about the only plausible case of “the passwords were old, anyway” without thinking “when it finally started to be publically known that the passwords are sold to crooks”.
Here is a google dork if you want to find stuff like this yourself
There are also bots on twitter you can just follow that spot password dumps immediately if that is your interest.
Most end up being consumer SaaS but there are some more interesting ones from time to time.
It used to be that basic credentials were shared with a new hire or a temp agency contractor by pointing them to a wall where everyone in the office would put a post-it note with info they’d need to get started.
Things like the access code for the staff room, the Pandora account everyone shares, the staff lounge wifi password, the password for the company shared folder, etc. was on the wall.
New guy or gal comes in, asks questions, you’d point to the wall.
Then some neat freak decided to type it up. Then it got shared internally.
And then one of the recipients gets the stupid idea to put it online. And then it winds up being seen by Holden and KOS.
The key here is to get rid of stupid people and neat freaks, obviously.
One would think that an IT person, assuming other employees would not have access to this type of file, would have encrypted anything posted to a possibly public site.
At which point CEOs, CTOs IT Directors etc. will be hold accountable for those events??? Aren’t they responsible for managing IT departments?
How about lean bonuses and more IT folks? Would that help?
Back in the ’90s, I was one of three, holding the keys to the kingdom of a major police department: we managed the Microsoft LAN. There were frequent stories of people who put passwords on PostIt notes, on the bottom of keyboards, etc. And I’m sure people still do it today.
So I put some passwords on the bottom of my keyboard. They didn’t relate to anything on the system, I was just hoping that this jerk of a lieutenant who thought he knew IT and was making life miserable for us would pull a sneak inspection and find them and try them.
But now, I’ve left the IT field behind, though I obviously still read Brian, and some other sites. I now work in a library, mainly doing interlibrary loan. A zero-stress job is quite a wonderful thing, even if the pay is low.
So out of the 1,700 employees how many are security professionals? And what are they getting paid? And do they have anything other than Net+/Sec+?
Companies try to get by on the cheap with “IT” people and basic computing skills don’t make you into a security professional who knows what they are doing.
I see it at various defense contractors. The IT department usually have the lowest pay compared to the engineers that are billable.
I can’t understand any company using pastebin for internal communications. You encrypt things. And you shouldn’t let passwords out of the company.
Anything you put on a “cloud” thing like pastebin should be things you expect to be viewed by anyone.
While worse, this is kind of like people uploading sensitive documents to virustotal. Does anyone have any common sense left?
Since many people here do not speak “spokesperson”, let me translate:
“The file contains old credentials” = “many, but not all, of the credentials are our current credentials”
“many of the devices associated with the credentials are decommissioned” = “many, but not all, of the credentials are used on our active systems”
“the company had it removed from Pastebin” = “the company was notified after it had been so widely disseminated, that a friend of the company saw it and told us”
Thank you for your translation comment. In symbolic logic we have two type of related comments. For “all x and “for some x”
That logic translation comment is right on the money. Given x=passwords, there exists an x such that some passwords were not changed.
From Brian’s paste, it is not just user passwords system including security related passwords. If Orvis doesn’t hire an outside security firm for Incident Response, they can expect ongoing security scandals. This is the stuff the script kiddies love to do.
I’m not totally sure it was a 3rd party – the date they suspected that the initial pastebin post was put up (oct4) lines up pretty closely with a job posting (https://usr56.dayforcehcm.com/CandidatePortal/en-US/orvis/Posting/View/1652) for an IT Senior Systems Engineer.
This isn’t proof positive, but I would strongly suspect insider threat in the form of a disgruntled, recently terminated employee.
The combination to the corporate safe? Good grief; how stupid can you get?
yeah.. but china had them first.
Thank you for sharing this info, I really enjoyed your storytelling style.
The diversity in password complexity in this case is notable. There are many examples of what NOT to use.
We monitor and scrape pastebin sites, open, deep and Dark Web for keywords pertaining to our company or area of interest and provide alerting when something appears. We also do this for our customers. If you are not proactively looking for this content how will you ever know it is there.
One word. PAM