- Orvis.com exposed credentials on Pastebin, as one of their collaborators posted them twice there.
- The company officially responded that the credentials have already expired, but the discovering firm thinks otherwise.
- The passwords concerned encryption certificates, routers, servers, and even a safe’s lock combination.
According to a report by Krebs on Security, Orvis.com has leaked a large number of passwords that were used internally by posting them on Pastebin.com by mistake. The credentials concern backend management, firewall administration, router settings, and even provided access to database servers. Orvis.com is an online retailer of clothes, fishing gear, and hunting equipment, and its high quality and "classic" product styling have won them a reputable position in the market. The company operates 69 retail stores and 28 outlets in the U.S. and the UK, while they employ 1700 people.
The first to discover the blunder was a security research firm called “Hold Security”, which tipped Krebs a couple of weeks ago. The researcher then contacted Orvis, and they responded immediately by acknowledging their mistake and removing the Pastebin. As they told Krebs then, the paste had only been exposed for a day and contained old credentials that were already expired. As the Orvis spokesperson stated, most of the devices associated with the leaked credentials have already been decommissioned. Upon hearing this, Hold Security representatives expressed their disagreement.
As the Winsconsin firm publicly states, Orvis apparently posted two lists on Pastebin. The first one was on October 4, and the second was on October 22, so the exposure lasted for more than a single day. As for the content, the usernames and passwords were in plaintext form and constituted the keys to access the following:
-Data backup services
-Multiple firewall products
-Call recording services
-Orvis wireless networks (public and private)
-Employee wireless phone services
-Oracle database servers
-Microsoft 365 services
-Microsoft Active Directory accounts and passwords
-Battery backup systems
-Mobile payment services
-Door and Alarm Codes
-Apple ID credentials
-Combination to a locked safe in the server room
Possibly, the exposure came from one of Orvis’ partners, as the document was notated by “VT Technical Services”. This is a topic for Orvis’ internal investigation, and what matters for us is the fact that a big company has left the keys to their systems online for anyone to grab. Malicious actors are monitoring repositories like Pastebin and GitHub 24/7, so this leak was definitely noticed. It is rare to see exposures without the inclusion of customer data, but with all that was provided this time, actors could have compromised the systems of Orvis to steal anything else they might be interested in.