Dutch ISP finds 120,000 ADSL accounts with default passwords
KPN, a major Dutch internet service provider (ISP), has found that over one hundred thousand of its customers have never changed their default passwords, leaving accounts vulnerable to unauthorised access. According to a forum post by the company, approximately 120,000 of its 180,000 business ADSL customers had not changed their default password from "welkom01"; about 20,000 other customers were said to be using their username as their passwords.
By not changing default passwords or by using weak passwords, customers left their accounts vulnerable to access by malicious third parties who could, for example, change or remove email accounts, change or disconnect internet service, or add or remove additional paid services. The company says that it discovered the problem following a report from Amsterdam-based news site Webwereld and has since automatically reset the 140,000 potentially vulnerable passwords.
Affected customers have been sent an email explaining the problem and asking them to set new, more secure passwords. KPN says that it has no evidence that leads it to believe that any customer accounts were accessed by unauthorised parties.