Orange España, Spain’s second-largest mobile operator, suffered a major outage on Wednesday after unknown people obtained and used an extremely easy password to access an account managing the company’s global Internet traffic routing table.
According to Arstechnica, the hacker logged into NCC Orange’s RIPE account at 7:28 a.m. using the password “ripeadmin” (without quotes). The RIPE Network Coordination Center is one of five regional Internet registries responsible for the management and distribution of IP addresses for Internet providers, telecommunications organizations and companies that manage their own network infrastructure. RIPE serves 75 countries in Europe, the Middle East and Central Asia.
The password was leaked after a user under the pseudonym Snow posted on social media an image of the orange.es email address associated with the RIPE account. RIPE said it is working to strengthen account security.
Security company Hudson Rock connected the email address to a database it maintains to track credentials for sale on online marketplaces. In a statement, the firm said the username and “ridiculously weak” password were obtained by information-stealing malware installed on Orange’s computer since September. Then the password was distributed for sale on the information market.
Researcher Kevin Beaumont said thousands of credentials protecting other RIPE accounts are also available on those markets.
Snow’s changes didn’t cause much trouble at first, but things got worse later, says expert Doug Medory, who published a technical report on the hack. In short, the attacker turned the route theft protection tool into a denial of service for Orange users.
The worst part about the incident is that Snow’s motives are still unknown. Given the way it behaved when changing the global routing table, the researchers assume that it was just experimenting with access. There’s also the possibility that the attacker was slow to raise awareness of the weak password and only escalated when he saw the company’s soft response.