Users' passwords exposed by Splunk
Regrets the error
Updated Splunk, a kind of Google for business technology that boasts it can help reinforce your security, has exposed the details of major customers to hackers following a web site slip up.
The passwords of customers on Splunk.com were revealed after some debug information leaked on to its production servers. The debug code exposed users passwords to Splunk.com as clear text, the company said. The site contained the emails and user names customers had used to register with Spluk.
Splunk has reset all affected users' passwords in what it called an "abundance of caution", and purged the log files and indexes of users' active sessions on Splunk.com. It advised customers to change the temporary password as soon as possible.
Also, Splunk urged those who used their Splunk.com password on other systems or web sites to also change those passwords.
That should mean around half of Splunk users affected should have to change: a survey of web users' habits in the UK alone in January found 46 per cent use the same password for most web-based accounts. Five percent use the same password for every site.
The company notified customers through a letter and on its blog. According to the blog: "We have no reason to believe that the information was exposed to anyone other than the small subset of Splunk employees that have access to our internal Splunk deployment."
It said a "small number of passwords" were exposed in the web server’s error log.
Splunk has 1,750 customers including BT, Cisco, LikedIn, Nasa, Visa and the US Department of Energy. Its software is downloaded from the web and is used as a search, monitor and reporting tool that crawls through the raw data on applications, hardware and network systems.
Splunk searches logs, configurations, messages, alerts, scripts and metrics on a variety of systems. According to the company's site: "With Splunk you can troubleshoot application outages, investigate security incidents, and demonstrate compliance in minutes, not hours or days." ®
This article has been updated to explain the type of customer information contained in the Splunk.com site.
A security company keeping passwords of users? And in the clear? I will give them a free piece of invaluable advice. Store a hash of the password, never the password itself. There is absolutely no reason why any system would need to keep the password on file - except to increase the risk of exposing sensitive information or to use it for criminal activity.
Just can't take the article seriously
with that name. Seriously, who saluted that one when they ran it up the flagpole?
And, please, any discussion of "internal Splunk deployment" should be kept in the Netherlands where it belongs.
Then again it might make a good (and it's really about time we had one) generic verb/noun for an enterprise privacy breach. As in: "I don't believe it, BT have splunked my credit card details all over the place!" etc.
Just to clear up some misconceptions...
1. Last week, due to some temporary debug code that was promptly removed, we discovered that some splunk.com users’ passwords inadvertently appeared in our internal web server logs.
2. No one’s password was accessible from the internet or the splunk.com web site, and we took immediate steps to purge the confidential information from our internal system logs.
3. Our internal IT team that monitors the Splunk.com site logs are the only employees who would have temporarily been able to see these passwords.
4. This applies only to passwords on our web site, splunk.com, and did not impact anyone’s deployment of Splunk software or the data stored in customers’ instances of Splunk.
5. We proactively reset all potentially affected users’ passwords; cleared all of these users’ active sessions on splunk.com; purged the information from all internal log files; and then notified all affected users, sending them a new temporary password. This was a precaution.
No, we don't normally leave clear text passwords in the logs - web monkeys have been appropriately flogged.
Feel free to ask me any questions or see the updated blog post here: http://blogs.splunk.com/2010/04/24/splunk-com-password-leak/
John Mark Walker
Splunk Community Guy