Next time some duplicitous sack of shit talks about going dark, remember the stories like these.
The sales guy started renewing my Vodafone subscription and therefor needed to log in at a dealer portal from Vodafone. He didn’t remember the login password, and, here it comes, on the screen he opened an Excel file which contained all their passwords.
Is this happening for real? I had just told him minutes ago I’m an experienced professional hacker and we had both laughed about the password-taped-on-monitor leak.
Curiously and intensively I looked on the screen to get a picture of the treasure trove that was in front of me. Passwords to view and modify customer data of KPN, Vodafone, Telfort, T-Mobile, UPC, Tele2 and other companies were in plain view.
A curious detail was that the Excel password database was stored on Google Docs and the login details of their Google Account were also in front of me. Neat! I could look up their passwords anytime I wanted from any computer in the world.
As Google is a company located in the United States, the Google Docs servers are probably also located there, or at least subject to the Patriot Act. I think it’s safe to say the NSA probably (still) has direct access to documents stored in Google Docs. The password database is stored without encryption in the cloud so it can be assumed the NSA has access to it. So much for all the encryption effort made by Dutch telecom providers after the Edward Snowden leaks: Phone House is trusting their passwords to an American company.