Report: Specialty outdoor retailer lets out company credentials

Orvis has reportedly leaked internal user data on a popular text-sharing site.

According to the KrebsonSecurity blog by security analyst Brian Krebs, Vermont-based Orvis accidentally shared hundreds of corporate credentials on the text-sharing site Pastebin in October 2019. The info reportedly included plain text user names and passwords for sensitive internal applications including antivirus engines, firewalls, wireless networks, servers, mobile payment services, security cameras, and door and alarm codes. 

An Orvis spokesperson told KrebsonSecurity that many of the exposed credentials were expired and they were only online for one day before they were discovered and removed. Orvis, which sells fishing gear and other outdoor sporting equipment, operates 69 retail stores, 10 outlet stores, and an e-commerce site in the U.S.

However, Wisconsin-based security firm HoldSecurity, who first tipped KrebsonSecurity to the breach, said the file of user credentials was posted on Pastebin on both Oct. 4 and 22. HoldSecurity speculated the error was most likely committed by a third-party contractor.

Click here to read the whole article.