back to article Users' passwords exposed by Splunk

Splunk, a kind of Google for business technology that boasts it can help reinforce your security, has exposed the details of major customers to hackers following a web site slip up. The passwords of customers on were revealed after some debug information leaked on to its production servers. The debug code exposed …


This topic is closed for new posts.
  1. Rob Burke

    Clear text passwords....

    ... they obviously deserve everything they get.

  2. Havin_it

    Just can't take the article seriously

    with that name. Seriously, who saluted that one when they ran it up the flagpole?

    And, please, any discussion of "internal Splunk deployment" should be kept in the Netherlands where it belongs.

    Then again it might make a good (and it's really about time we had one) generic verb/noun for an enterprise privacy breach. As in: "I don't believe it, BT have splunked my credit card details all over the place!" etc.

  3. Simon C


    Looks like that last stick dropped a hella lot of balls.

  4. rmacd


    Why the hell are they keeping my password in cleartext, in any case?

  5. Gary F


    A security company keeping passwords of users? And in the clear? I will give them a free piece of invaluable advice. Store a hash of the password, never the password itself. There is absolutely no reason why any system would need to keep the password on file - except to increase the risk of exposing sensitive information or to use it for criminal activity.

  6. Anonymous Coward
    Paris Hilton

    Totally mis-spelled

    There's no "L" in it.

    She knows all about it.

  7. Anonymous Coward


    another day, another web site exposing user details... ho hum.

  8. gimbal
    Black Helicopters

    Only a small number of passwords...

    With - who was that, again? - as their customers, it sounds to me like a "few" passwords could cause a big problem.

    Who does the security audits for this company? Who does the programming? Please don't say Sponge Bob(TM)....

  9. Robert Carnegie Silver badge

    Let's remember that "Google" is also a silly name.

    And Yahoo. And Bing. And Bebo. And is rather silly. Facebook and YouTube are quite silly.

    Still, Splunk appears to be a 21st century venture,

    rather than a survivor from the late 90s, the era of Internet companies with silly names.

    Splunk seems to be a tool to aggregate your own network's log files? Sort of a screen scraper for logs?

    I wonder why they didn't go with "Logorrhoea"? Or something like "Logistics"?

  10. Anonymous Coward

    Clear text passwords... me nuts. Especially when the "helpful" website sends me an email saying "thanks for registering, your username is XYZ and your password is ABC". Don't lie- nobody uses a different password for _everything_. I have a range of passwords I treat with different levels of security.

    If I'm registering just to download something I probably don't want anyway, I'll set my basic simple password (I may even use a mailinator address too). If it has anything to do with my finances, it's > 12 characters and very complex. There's a few levels in-between, but I get so pissed off when a stupid website exposes one of my mid-level passwords, and I have to change everything else I use it with. Fortunately I'm careful enough with my important passwords that I haven't had an idiot website expose it yet.

    To re-iterate what other people have said- it's not just that they shouldn't _send_ me the password, it's that they shouldn't be _able_ to send me my password. They shouldn't know it- it should always be stored as a hash! That way, nobody can just leech all the passwords in the event of a break-in. I'd call it "page one", to be honest.

    1. g e


      And a salted hash to boot for the monkey brained morons that have 'password' as their password.

  11. Flugal


    Bet they were shlitting themselves after flucking that up, the stupid clunts.

  12. DanTheMan

    Splunk is great!

    This article is complete BS.

    Splunk takes security so serious that because silly passwords to the website (not the product, not the user's website, not the user's data) were seen by *5* splunk internal employees, they recommended that user's change their passwords. Again, this is just the user's account for which is just for downloading of the free splunk product, and they were only seen by 5 splunk internal employees. No hackers, no public access, no data loss.

    There is NOTHING dangerous about this at all. It's absurd that Splunk is being maligned for doing the right thing.

    1. Anonymous Coward
      Anonymous Coward

      I guess you'll be the (only) one...

      ...who downvoted all the negative posts then? If you ask me, you need to work for a new company. Anyway, they're not being maligned for doing the right thing, but the WRONG thing:

      Do. Not. Store. Clear. Text. Passwords.


      For anything.

      Get it?

  13. The_Police!


    for some free splunk?

    Just getting my coat!

  14. johnmark

    Some facts

    Just to clear up some misconceptions...

    1. Last week, due to some temporary debug code that was promptly removed, we discovered that some users’ passwords inadvertently appeared in our internal web server logs.

    2. No one’s password was accessible from the internet or the web site, and we took immediate steps to purge the confidential information from our internal system logs.

    3. Our internal IT team that monitors the site logs are the only employees who would have temporarily been able to see these passwords.

    4. This applies only to passwords on our web site,, and did not impact anyone’s deployment of Splunk software or the data stored in customers’ instances of Splunk.

    5. We proactively reset all potentially affected users’ passwords; cleared all of these users’ active sessions on; purged the information from all internal log files; and then notified all affected users, sending them a new temporary password. This was a precaution.

    No, we don't normally leave clear text passwords in the logs - web monkeys have been appropriately flogged.

    Feel free to ask me any questions or see the updated blog post here:


    John Mark Walker

    Splunk Community Guy

  15. Anonymous Coward

    Spunk and SIEM products

    Isn't there a company out there using Splunk for their SIEM to gather business intelligence or something of that nature. Kinda brings to question the security of Splunk's partners as well.

  16. This post has been deleted by its author

  17. Bod
    Paris Hilton

    Splink Splunk

    Thought this was a reference to Splink! for a moment, that classic public information film featuring John Pertwee in the 70s.

    Paris - loves splunk

This topic is closed for new posts.

Other stories you might like