Internal passwords belonging to American retailer Orvis were twice leaked online in a double data breach.
Credentials belonging to the luxury fishing equipment purveyor were posted on the website Pastebin.com last month, according to investigative reporter Brian Krebs.
A swathe of plaintext usernames and passwords relating to everything from firewalls and routers to database servers and even administrator accounts was exposed for several weeks.
The leaked files from the Vermont-based retailer included credentials for security cameras, door controllers, door and alarm codes, and FTP credentials, and even showed the combination to a locked safe in the company's server room.
Krebs was tipped off about the data breach in late October by Wisconsin-based security firm Hold Security. Company founder Alex Holden said an enormous file containing internal passwords relating to Orvis had been posted to Pastebin on October 4 and again on October 22.
Holden's finding was corroborated by 4iq.com, a company that aggregates information from leaked databases online. However, a spokesperson for Orvis would only acknowledge that one much shorter breach had occurred.
Orvis spokesperson Tucker Kimball told Krebs: "The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones.
"We are leveraging our existing security tools to conduct an investigation to determine how this occurred."
Orvis is America's oldest mail-order retailer and was founded in 1856. The company has 69 retail stores and 10 outlets in the US plus a further 18 stores in the UK, and employs 1,700 people.
How the passwords came to be on Pastebin is unknown, though potential sources could include an internal threat actor or a malicious or perhaps simply careless third party.
Kelly White, CEO of RiskRecon, commented: "Security teams need to get into the mindset that their risk surface spans to all people, processes, and technology that touch their data, including subcontractors. Too often, organizations require less of their vendors and subcontractors than they do of their own personnel.
"While employees are formally trained in handling of sensitive information and required to use corporate administered systems, subcontractors are not; no training in handling of sensitive data and allowed to use their own systems. When incidents like this happen, it is no surprise that existing security standards aren't met—the subcontractor likely wasn't even aware of them."
Orvis did not reply to a request for further comment.