You read about a lot of bonehead business moves on Reddit. In fact, sometimes it can feel like no one out there knows anything about running a business at all.
Or maybe the right people just never get put in charge.
OP worked for a company that had a huge, glaring security flaw.
I just want to state that this IT issue is going blow some peoples minds. The security flaw that this presented was nothing short of incredible.
And the fact that we never had a major security breach is astounding. It truly is.
The flaw you may ask
Everyone in the entire company password was the same password. Yes folks you read that right, every single password to every single employee login was the same password. It was like this before I joined the company, and for quite a few years after. Until…well enjoy the story.
Now what about the username?
That musta be the trick right?
O yea that was a trick, the username was the employee email address.
I did point out this flaw to my management and their response was “Thats not our area to be concerned about” so whatever it paid well I’ll do my job.
When his superior refused to address a help request, OP decided it was time to bring it up.
And then one day, we had a windows update which caused a piece of the software I used at work to break. I submitted a help ticket, and after escalating this issue I got to the CTO (it wasn’t a huge company)
The CTO said “I don’t want to spend the time fixing this, use this work around” to which I pointed out the work around slows things down, makes my job harder, and this windows update has to affect more then just me.
I was told to suck it up
Now at the time the CEO was the son of the founder and a bit of dimwit. I legit feel at this point in time he was just collecting a paycheck and letting everything run on auto and didn’t pay attention.
But I was mad at the CTO for brushing me off so I penned an email to the CEO. It was a short email I simply said
“I discovered a massive security flaw that could potentially expose us to huge liabilities, when would be a good time to discuss this?”
The response? What security flaw?
I decided to demonstrate the flaw. I picked two random sales people (I didn’t know them) I got their username and I logged into their systems. and I pulled two random customers personal information.
The kind of information that would have easily allowed me to commit identify fraud, pull out credit in their names, etc all kinds of bad stuff.
I emailed the CEO and I explained “anyone who knows the URL to log into our system, can log into anyone account, pull up customers information, and everyone has the same password.
To prove this I logged into two employees random accounts, and pulled two different customers profiles and I’ve attached them, one single disgruntled employee could screw us over”
The meeting could have gone either way, honestly.
25 minutes later my phone rings, it the CEO he was nice, very interested in how I did this (this guy isn’t the sharpest knife in the drawer) and I pointed out the flaw in plain English, and the liability that it presents to him.
I walked him through the process of “hacking” my own account as he called it. I’d hate to call it “hacking” cause it was so easy.
Now it dawned on this CEO that this liability was huge, I pointed out again in our conversation a single upset employee could destroy us. The fact that it hadn’t happened already is nothing short of a miracle.
I get told they want me to present this to the executive team, so they can discuss a solution (Honestly the solution is obvious)
So a day later we have the conference call, its the CEO, the CTO, COO, CFO, the company lawyer, the senior VP etc and on the call I demonstrate the flaw and I lay out how I as a lay person with very little IT background is able to figure this out, its incredible that we have this flaw. Everyone is in agreement that is a HUGE ISSUE. Expect the CTO
The CTO gets very, upset at me he wants me fired for “hacking” the system he says that per our employee handbook what I did is fireable offense.
I point out that I’m not abusing this loophole and I’m only doing it to expose the flaw because I care about the company, and I think this is something that needs to be brought forward.
I point out that a former disgruntled employee could log into an account and steal customers personal information and if that were traced back to us the liability would be huge.
I could tell our Corporate attorney agreed with me and was shocked at what I was demonstrating.
The CTO pointed out that former employees usernames are disabled to which I pointed out
Every employee username is their email address, it would be trivial for a former disgruntled employee to use a different employee email address that they remember to log in, and since everyone password is the same they don’t even have to guess.
The CTO points out that we would know who did it cause of the IP address, I pointed out that VPNs are indeed a thing. The Corporate attorney actually wasn’t familiar with what VPNs do and I explained it.
And what shocked me if the whole time the only person in the meeting who didn’t agree this flaw needs to be changed was the CTO.
The CEO made it clear that this issue would be fixed by the end of business, that day and there was no if ands or buts about this. The meeting ended.
But in the end, his boss “stepped down.”
After the meeting the CTO called me, privately HE WAS MAD. I just exposed his incompetence because the system was his design, the decision for everyone to have the same password was his decision. And I know why he did it, he did it cause he was lazy. And I said to the CTO
“Your a terrible CTO, you shouldn’t be in the position you are, and your lazy, you should have found a better solution for my help ticket”
He stops and asks “So this is about your stupid help ticket?”
I go “Yes, yes it is” he laughs and says he’s going have me fired and I laugh and go “I’m pretty sure someone is getting fired, I’m also super confident that’s not going be me”
Well sure enough later that day we got an email stating that everyone was to change their passwords to something unique.
A week later the CEO announced, the old CTO stepped down to spend more time with his family.
The new guy is a lot more interested in help tickets.
On the first day of the new CTO tenure he sent me an email telling me he wanted to personally work on my help ticket and find a solution around the windows update. Which I’m pleased to say he did.
And I later had conversations with our attorney at a meeting, we legit never had a security breach. Which is simply astounding.
The attorney admitted that was just plain dumb luck on our part, and if we would have had a security breach it would have been very bad for us.
Does Reddit think this was overblown revenge? Let’s find out!
The top comment says it really does boggle the mind.
It’s even extreme for the lazy folks out there.
They always get their comeuppance eventually.
Nobody smart leaves the door unlocked.
The wild thing is, this guy isn’t alone.
It’s scary to think about who is running these big corporations.
Keep your information close, friends.
Want to read another story where somebody got satisfying revenge? Check out this post about a woman who tracked down a contractor who tried to vanish without a trace.