Oversight and Homeland Security announced that Rep. Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, and Rep. Bennie G. Thompson, Chairman of the Committee on Homeland Security, held a joint hearing examining the supply chain attack targeting SolarWinds. Members heard testimony from Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds Corporation; Kevin B. Thompson, Former Chief Executive Officer of SolarWinds Corporation; Kevin Mandia, Chief Executive Officer of FireEye, Inc.; and Brad Smith, President of Microsoft Corporation.
“solarwinds123”
During the hearing, Rashida Tlaib questioned SolarWinds executives about the company’s lax security practices. Rep. Tlaib also asked about an incident reported that some of the company servers were protected with passwords such as “solarwinds123”.
Kevin B. Thompson, Former Chief Executive Officer of SolarWinds admitted the incident and stated that it was related to a mistake made by an intern and violated the company’s password policies. He also claimed that the intern had posted the password in an internal account and taken it down as soon as it was identified and brought to the attention of the security team.
Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds also testified that the password was used by the intern on one of his servers back in 2017, and removed immediately. The password was believed to have been publicly accessible in a GitHub repository since June 17, 2018, and the misconfiguration was addressed on November 22, 2019.