{
	"id": "8fe869f9-4dcd-48f2-b60a-4e82153d9324",
	"created_at": "2026-04-06T00:10:42.427031Z",
	"updated_at": "2026-04-10T03:21:21.698736Z",
	"deleted_at": null,
	"sha1_hash": "7229819dfdd24393f032d8e1610f1d90f81e3c05",
	"title": "Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 389485,
	"plain_text": "Deloitte is a sitting duck: Key systems with RDP open, VPN and\r\nproxy 'login details leaked'\r\nBy Iain Thomson\r\nPublished: 2017-09-26 · Archived: 2026-04-05 17:19:35 UTC\r\nMonday’s news that multinational consultancy Deloitte had been hacked was dismissed by the firm as a small\r\nincident.\r\nNow evidence suggests it's no surprise the biz was infiltrated: it appears to be all over the shop, security wise.\r\nOn Tuesday, what seemed to be a collection of Deloitte's corporate VPN passwords, user names, and operational\r\ndetails were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the\r\npast hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his\r\npublic Google+ page. The information was up there for over six months – and was removed in the past few\r\nminutes.\r\nWe were tipped off to these pages by an eagle-eyed reader, and grabbed a couple of screenshots of the potentially\r\noffending data:\r\nhttps://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/\r\nPage 1 of 5\n\nScreenshot of some of the alleged VPN details for accessing Deloitte's network that leaked onto GitHub – we've\r\ncensored what looks like passwords\r\nhttps://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/\r\nPage 2 of 5\n\nScreenshot of a portion of the Google+ page with Deloitte proxy login information\r\nOn top of these potential leaks of corporate login details, Deloitte has loads of internal and potentially critical\r\nsystems unnecessarily facing the public internet with remote-desktop access enabled. All of this gear should be\r\nbehind a firewall and/or with two-factor authentication as per industry best practices. And likely the best practices\r\nDeloitte recommends to its clients, ironically.\r\n“Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher\r\nDan Tentler, founder of Phobos Group, told The Register today. “We’re talking dozens of business units around the\r\nplanet with dozens of IT departments showing very different aptitude levels. The phrase ‘truly exploitable’ comes\r\nto mind.”\r\nhttps://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/\r\nPage 3 of 5\n\nFor example, he found a Deloitte-owned Windows Server 2012 R2 box in South Africa with RDP wide open, acting\r\nas what appears to be an Active Directory server – a crucial apex of a Microsoft-powered network – and with,\r\nworryingly, security updates still pending installation. Other cases show IT departments using outdated software,\r\nand numerous other security failings.\r\nHere's an example system with NetBIOS open:\r\nHey look, a deloitte server with 445 exposed to the internethttps://t.co/BMFJqG0s3m\r\nproduction tax dns server\r\nwhat could possibly go wrong? pic.twitter.com/IeHSf7L1Vz\r\n— Dan Tentler (@Viss) September 25, 2017\r\nHere's what appears to be an Active Directory server with RDP open...\r\n'a;sljfasdfjadjaserfaweakjwtgfaehasrhfasd;laksfkasrohawghasedjas;faskdga'seraowhjasjdfasdlfasgajhsdfjarfhoae;ahd\r\npic.twitter.com/54O2PDy7zV\r\n— Dan Tentler (@Viss) September 25, 2017\r\n...complete with administrative users and, if you look closely, Windows Updates still pending:\r\npic.twitter.com/iGlTg4Kqh8\r\n— Dan Tentler (@Viss) September 26, 2017\r\nAnd as other infosec experts have spotted, plenty of other stuff is sitting online, searchable using Shodan, waiting\r\nto be prodded by miscreants and other curious minds:\r\nDeloittes’ US offices have everything from Netbios to RDP to Exchange Admin (single factor) etc etc\r\netc. They should get an auditor. pic.twitter.com/C8aoN5YQMn\r\n— Kevin Beaumont 🙃 (@GossiTheDog) September 25, 2017\r\nThese systems could be used as crucial footholds for hackers into the consultancy giant's internal networks.\r\nThe Google+ page appeared to show that a Deloitte employee has been writing down VPN access controls on his\r\npersonal page in full view of everyone. Using Google’s vaunted search facilities, a hacker could easily find enough\r\ninformation to launch an attack with a good chance of success.\r\nAll this is embarrassing for Deloitte, which billed itself as the top IT security consultancy in the industry. The firm\r\nmakes millions selling its tech guru services to others for a hefty price – and yet seems to ignore potentially gaping\r\nholes in its own IT infrastructure.\r\nThe details now emerging are also rather embarrassing for analyst firm Gartner, which in June named Deloitte the\r\nworld’s best IT security consultancy for the fifth year in a row. Gartner has yet to respond to a request for\r\ninformation on how its conclusion was reached.\r\nhttps://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/\r\nPage 4 of 5\n\nIt doesn’t help that Deloitte isn’t much liked by other security researchers for its business practices. The firm has a\r\nreputation for low-balling contractors on fees – particularly for penetration testing – and the schadenfreude of\r\nDeloitte being so bad at its own security has delighted some.\r\nDeloitte always wanted to break pentest prices, less than 1k / man day. Well, now you can see what you\r\nget for that price.\r\n— Responder (@PythonResponder) September 25, 2017\r\n“Between Equifax and Deloitte, starting to see though the tissue paper of corporate America’s security industry\r\ncompanies making huge claims, when in reality it’s a whole bunch of hypocrites,” said Tentler.\r\n“You’d think Deloitte claims to have all this super elder-god style security talent. If that was the case they might\r\nconsider using that talent on its own infrastructure.”\r\nDeloitte has not responded to a request for comment. ®\r\nSource: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/\r\nhttps://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/"
	],
	"report_names": [
		"deloitte_leak_github_and_google"
	],
	"threat_actors": [],
	"ts_created_at": 1775434242,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7229819dfdd24393f032d8e1610f1d90f81e3c05.pdf",
		"text": "https://archive.orkl.eu/7229819dfdd24393f032d8e1610f1d90f81e3c05.txt",
		"img": "https://archive.orkl.eu/7229819dfdd24393f032d8e1610f1d90f81e3c05.jpg"
	}
}