Investing in safety is powerless against negligence.
One password, shared access, and a little “convenience” – that’s enough for the company to lose data. The story from the practice of the head of Nomadic Soft shows how banal negligence resets any expensive means of protection.
The incident was described by the founder and CEO of Nomadic Soft Gregory Shane. One of the company's customers decided to simplify the work of the team and used the same administrative password for the test and combat environment. Password chosen predictable – admin123admin123.
This option regularly falls into the lists of the most common. According to statistics, NordPass, admin123 ranks tenth among the popular passwords in the world. The word admin stands separately in the second position, and the combination of 123456 remains the most frequent. Such a set is easily crossed by automatic attacks and is often known in advance.
Then the situation worsened. The company secured a password in the Slack channel so that employees could quickly find it. Even a complex combination in an open chat remains a bad idea: access to the channel is received by all participants, and the message history is stored for months.
A few months after the publication of the password, the former contractor entered the system under an administrative account. No one withdrew access. Instead of testing, the person launched actions that led to a complete cleaning of the data.
The company spent more than 30 thousand dollars on security tools, but the basic rules were ignored. As a result, vulnerability arose not in code and not in the infrastructure, but in the organization of access.
Shane explains the problem simply: in SaaS projects, the main risk is often associated not with technology, but with people’s behavior. The desire to simplify the work is disguised as effective and leads to such errors.
After the incident, Nomadic Soft changed the approach to access control. The company introduced a forced change of accounting data and the differentiation of rights in roles. For 3 months, the number of unauthorized access attempts has decreased by 60%.
History shows a set of specific mistakes. One password for different environments, shared access between employees and lack of control over former contractors create a direct path to the incident. The situation is corrected by clear measures: individual accounting data for each environment, minimum access rights, timely disconnection of accounts, multifactorial authentication and transition to passkeys where systems support such input format.
One password, shared access, and a little “convenience” – that’s enough for the company to lose data. The story from the practice of the head of Nomadic Soft shows how banal negligence resets any expensive means of protection.
The incident was described by the founder and CEO of Nomadic Soft Gregory Shane. One of the company's customers decided to simplify the work of the team and used the same administrative password for the test and combat environment. Password chosen predictable – admin123admin123.
This option regularly falls into the lists of the most common. According to statistics, NordPass, admin123 ranks tenth among the popular passwords in the world. The word admin stands separately in the second position, and the combination of 123456 remains the most frequent. Such a set is easily crossed by automatic attacks and is often known in advance.
Then the situation worsened. The company secured a password in the Slack channel so that employees could quickly find it. Even a complex combination in an open chat remains a bad idea: access to the channel is received by all participants, and the message history is stored for months.
A few months after the publication of the password, the former contractor entered the system under an administrative account. No one withdrew access. Instead of testing, the person launched actions that led to a complete cleaning of the data.
The company spent more than 30 thousand dollars on security tools, but the basic rules were ignored. As a result, vulnerability arose not in code and not in the infrastructure, but in the organization of access.
Shane explains the problem simply: in SaaS projects, the main risk is often associated not with technology, but with people’s behavior. The desire to simplify the work is disguised as effective and leads to such errors.
After the incident, Nomadic Soft changed the approach to access control. The company introduced a forced change of accounting data and the differentiation of rights in roles. For 3 months, the number of unauthorized access attempts has decreased by 60%.
History shows a set of specific mistakes. One password for different environments, shared access between employees and lack of control over former contractors create a direct path to the incident. The situation is corrected by clear measures: individual accounting data for each environment, minimum access rights, timely disconnection of accounts, multifactorial authentication and transition to passkeys where systems support such input format.
