Holyoake describes themselves as a leading provider of drug and alcohol counselling and support services in Western Australia:
Each year Holyoake helps more than 4,000 people by providing practical programs to address peoples’ alcohol and drug abuse issues, guiding people through challenging times and into a better future.
I wonder how those clients would feel if they saw how weak Holyoake’s data security is for some things.
Two tweets last night by @Cyber_War_News alerted me to the problem:
so some one has actually hacked and leaked accounts from @HolyoakeWA – a drug and alcohol treatment service…
— CWN (@Cyber_War_News) March 20, 2015
and:
27 admin credentials with clear text passwords and very lame preset passwords of that. @HolyoakeWA you need to fix your shit ASAP. — CWN (@Cyber_War_News) March 20, 2015
CWN wasn’t exaggerating.
Inspection of data dumped by a hacker who tweets as PREDICTIBLE reveals 27 entries with username, cleartext password, first and last name, and user type. The data dumped were for those who have admin status.
The passwords were embarrassing. I won’t link to the paste or divulge the actual contents, but if an ADMIN uses a password where their username is their first name and their password is <username01> or <holyoake022), well, what can I say?
There’s a comment under the data:
I Apologise For Messiness
I think it should be Holyoake apologizing. But first they should be rushing to secure their server and ensuring their client data is secure. PREDICTIBLE did not disclose in the data dump how access was gained or whether any client data was accessed or acquired.
DataBreaches.net attempted to alert Holyoake last night using their contact forms on-site. They have not responded as of the time of this posting. CWN also tried to alert Holyoake via Twitter last night.