Ricoh MFP User Credentials, Passwords, Exposed in Data Breach

GovInfoSecurity reports that Ricoh Australia has notified banks, government agencies, universities, and various large businesses about an MFP data breach that, in some cases, exposed MFP login user credentials and passwords for Rioch MFPs.

Documents called run-up guides were exposed on the Internet and indexed by Google’s search engine.  Run-up guides that describe how an MFP has been configured, as well as how to update firmware and encrypt the MFP’s hard drive. Most of the documents are said to have not contained any user names or passwords. However, a “small number” exposed Lightweight Directory Access Protocol (LDAP) and Active Directory user credentials, according to Melanie Withers, communications manager for Ricoh Australia. Those credentials are used to manage who can use the MFP and their level of access.

Ricoh says the leak remains under investigation: “We are in contact with all impacted customers and are actively working with them to rectify the situation this week,” Ricoh said in a statement. “We apologize for exposing customer information in this way.”

At least two dozen organizations are said to have been affected, including the Australian Signals Directorate, the Civil Aviation Safety Authority, Australian Federal Police, Defence Science and Technology, Queensland Rail, ACT Government, NT Government, Deakin University, Charles Sturt University, Commonwealth Bank, NAB, IBM, and Arthur J. Gallagher, an insurance company.

“Slight Risk”

 Despite the breach, GovInfoSecurity says the “real-world risk seems slight.” According to Nick Ellsmore, co-founder of the security-consultancy firm HivintEven, says that to access an MFP inside an organization, an attacker would already need to have network access.

However, according to GovInfoSecurity, “one of the most sensitive documents exposed…belong to Commonwealth Bank. They contain SMTP credentials for two models used by the banks, Ricoh’s MP C6503 and the MP 8003, as well as two sets of administrator credentials and one ‘supervisor’ account.” The bank is said to have immediately changed the passwords “even through there was no risk to customer data.””

Troy Hunt, a data-breach expert who runs the “Have I Been Pwned breach-notification service,” said that the leak is probably more embarrassing for Ricoh than anything else. The information is “certainly not as immediately weaponizable as things like publicly exposed database backups,” he said.

Ricoh Australia has removed the domain where the documents were stored, but according GovInfoSecurity, “Many of the documents still showed up in Google’s cache days later, showing the difficulty in reeling back information once it’s been exposed to search-engine crawlers.”

More Resources

%d bloggers like this: