After the hack was first discovered, Vinoth Kumar, a cybersecurity expert who advised SolarWinds, said the password for the firm’s update server was “solarwinds123.” Kumar said he warned SolarWinds that anyone could access the server because of this password. “This could have been done by any attacker, easily,” he told Reuters last December.
Kumar’s claim about the password turned out to be true. It was confirmed during congressional hearings in February that not only was “solarwinds123” the password it was also leaked and available to the public on the internet for years. Former SolarWinds CEO Kevin Thompson blamed an intern for posting the password on GitHub, a platform programmers use to share software information.
“They violated our password policies and they posted that password on an internal, on their own private Github account,” Thompson said during a joint hearing by the House Oversight and Homeland Security committees.
Sudhakar Ramakrishna, the current SolarWinds CEO, said the password was publicly available as early as 2017. “I believe that was a password that an intern used on one of his Github servers back in 2017,” he said. SolarWinds did not correct the issue until November 2019. According to the timeline from SolarWinds, suspicious activity on their server began in September 2019.
In addition, some of the back doors left on compromised machines have passwords that are easily guessed, so that newcomers can take them over.