#Privacy: Internal passwords belonging to Orvis leaked twice

A report has revealed that Orvis.com, an American retailer, leaked hundreds of internal passwords on Pastebin.com.

According to Krebs On Security, the leaked credentials related to backend management, firewall administration, router settings and database servers. 

Krebs received a tip from Hold Security in late October about the data breach, stating that there was a large file containing internal usernames and passwords for Orvis – which had been posted to Pastebin. 

The researcher who identified the breach contacted Orvis and removed the Pastebin. According to an Orvis spokesperson Tucker Kimball – the data was only available for a day before the company had it removed. 

“The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones,” Kimball said. “We are leveraging our existing security tools to conduct an investigation to determine how this occurred.”

However, founder of Hold Security Alex Holden stated that the large file had been posted to Pastebin on two separate occasions; October 4 and October 22. Holden’s findings was corroborated  by 4iq.com – a company that collects information from leaked databases online. 

The files contained credentials for door and alarm codes, security cameras, door controllers, FTP credentials, antivirus engines and more. 

It remains unknown as to how the credentials came to be on Pastebin, however it could be due to an internal threat actor or a malicious third party. 

“Malicious actors are monitoring repositories like Pastebin and GitHub 24/7, so this leak was definitely noticed. It is rare to see exposures without the inclusion of customer data, but with all that was provided this time, actors could have compromised the systems of Orvis to steal anything else they might be interested in,” said Krebs.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/