Orvis Has Admitted to Leaking Internal Passwords That Could Have Exposed the Company's Security

Established in the 1850s, Orvis is considered to be one of the first mail-order businesses in the US. It started out as a specialized retailer for fly fishing paraphernalia, but it now sells all sorts of clothes and sporting goods. It employs around 1,700 people in close to 100 locations, and it's something of a household name in parts of America and Britain. Now, it's also famous for exposing an enormous amount of sensitive internal information on Pastebin.

Brian Krebs, the cybersecurity journalist that first reported the incident, described the leak as "by far the most extreme example" of data exposure he has ever seen. But who's responsible for the breach? And how did it happen?

Someone inadvertently left tons of Orvis usernames and passwords for the world to see

As you can see, Orvis is a relatively large organization, and you can only imagine how many different third-party services it relies on to operate. Obviously, to run these third-party services, Orvis employees need login credentials, and for some reason, one single person had access to all of those usernames and passwords. The said person then made the terrible mistake of uploading them all to Pastebin, where they were accessible to anyone with an internet connection.

The nature of the exposed data is so diverse, it can make your head spin. Included in the file were plaintext usernames and passwords that can put Orvis' physical and online security under serious pressure if they fall into the wrong hands.

There were login credentials for anything from Wi-Fi networks through backend servers, antivirus and firewall products, DNS controls, FTP, Microsoft 365, and Active Directory accounts, to mobile payment systems. There were also passwords for security cameras, battery backup systems, door controllers, as well as door and alarm codes. There was even a combination to a safe that is kept in one of the retailer's server rooms.

The file was first found by a team of experts working for Hold Security and 4iQ, who think that the data leak was most likely the result of an honest mistake. Who made the said mistake, however, and why they had access to all that information remains unknown. A notation saying "VT Technical Services" can be found at the beginning of the file, but at this point in time, its meaning remains unknown.

Orvis says that things aren't as bad as they seem

Unsurprisingly, as soon as Brian Krebs got wind of the leak, he called Orvis and asked for a comment. A spokesperson was quick to point out that the accidentally leaked file contained quite a few old passwords that were no longer active. Newer credentials have already been invalidated, and according to the retailer, the exposed file was taken down mere hours after it appeared online.

The security researchers that discovered the leak beg to differ, though. They say that the password file was posted on Pastebin not once, but twice – first on October 4, and later, on October 22.

When Brian Krebs asked Orvis to confirm or deny these findings, the retailer blocked his emails. Even if the people responsible for the online shop's security and PR are convinced that the researchers are wrong and that the file was accessible for a limited period of time, this is hardly the perfect response in the aftermath of a data exposure incident that could have had absolutely devastating consequences for Orvis' business.