SolarWinds executives blame intern for 'solarwinds123' password lapse

SolarWinds CEO Sudhakar Ramakrishna said that the password had been in use as early as 2017

Executives at Texas-based software firm SolarWinds have blamed an intern for using a weak password that went unnoticed for many years.

In a joint hearing before the House Committees on Oversight & Reform and Homeland Security on Friday, Representative Rashida Tlaib questioned ex-CEO Kevin Thompson about media reports claiming that some of SolarWinds ' servers were protected with passwords such as ' solarwinds123 '.

Thompson testified that the mistake was made by an intern, who violated the company's password policies.

He told lawmakers that the intern had posted the password in a private GitHub account, adding that the mistake was corrected after it was brought to the notice of the security team.

When Rep. Katie Porter of California asked CEO Sudhakar Ramakrishna about the same incident, he said that the ' solarwinds123 ' password had been in use as early as 2017.

"I believe that was a password that an intern used on one of his…servers back in 2017, which was reported to our security team and it was immediately removed."

Security researcher Vinoth Kumar claimed that he had alerted SolarWinds about a publicly accessible GitHub repository in December, which contained the password of the server handling updates to the company's software.

The password was publicly accessible from June 2018. Kumar showed SolarWinds that he could use the password to log in and deposit files on the company ' s server.

SolarWinds eventually addressed the issue on 22nd November 2019.

"I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad," Rep. Porter said. "Misrepresenting the facts to downplay the company's role and responsibility for the hack is disappointing but unsurprising."

At this time, it is still not clear whether the weak password played a role in the SolarWinds hack last year, which is thought to be the largest foreign intrusion into US networks to date. Attackers were able to use the company's monitoring tool to access customers' systems - including those of the US government. SolarWinds asserts that the two security issues are unrelated, stating:

'SolarWinds has determined that the credentials using that password were for a third-party vendor application and not for access to the SolarWinds IT systems. Furthermore, the third-party application did not connect with the SolarWinds IT systems. As such, SolarWinds has determined that the credentials using this password had nothing to do with the SUNBURST attack or other breach of the company's IT systems.'

Rep. Porter stressed that the US needs "stronger federal oversight of internet companies, especially those that are vital to our national security and critical infrastructure."

"Rest assured, I'll be following up," she added.

In December, SolarWinds said that the supply chain attack may have impacted about 18,000 customers, including leading software and security companies and several government agencies.

In an SEC filing, the firm stated that it believed an ' outside nation state ' was behind the cyber campaign, in which hackers breached the company's network and inserted malicious code into the updates of its Orion network management software issued between March and June 2020.

Earlier this year, it emerged that the hackers were also able to access some of Microsoft's source code, although they could not make any changes to it.