r/talesfromtechsupport • u/Chilled_IT It's a model three! • 2d ago
Long Password Friday
This happened many moons ago. It is Friday around noon and people only worked until 1 or 2pm during those days. I was having a quiet day, chilling in my office all alone and getting mentally ready for the weekend. For some reason the company decided to have me as the sole admin for 70k square meters (about 750k square feet) and over 300 users at my location.
The first few months were rough but after 2-3 months, I had it figured out. Adjusted the local GPOs, implemented some scripts for the most reoccurring issues and general overall improvements. So despite the amount of users and area I had to cover, I had actually weeks where I didn't get a single support call. This was one of those days...well, until it wasn't.
Player 1: Yours truly ($Me)
Player 2: Sales lead ($SL)
My phone rings and the built-up dust on it starts to fall onto the desk. I see the caller ID and just went with my usual banter.
$Me: Welcome to the mental asylum in $location. Do you want to make use of this week's special of checking in 2 coworkers for the cost of 1?
$SL: Very funny you doofus. Look, I think I might have an issue here. One of our customers sent me a link, but nothing happens when I click it. What can be done?
Usually, I just connect remotely and have a look, but I was bored to death in my office and it felt like my walls were closing up on me. So I decided to rather walk down 2 floors, walk across our main road and climb up 1 floor to the sales team in a different building.
I arrive at the sales department in their full glory and $SL is already awaiting me.
$SL: Thank you for coming so quickly. Do you see the email?
*points at her screen with the email*
$SL: Now, when I go ahead and click the link and put in my credentials, nothing happens.
*$SL goes ahead, clicks the link and is being presented with a microsoft login. $SL goes ahead and enters email and password, but the page just reloads*
Usually, I would have stopped $SL, but I knew $SL had already done this, so there was no point. So I just quietly looked, screaming in pain inside.
$Me: Hmmm, may I sit and have a look?
$SL: Sure go ahead!
I sit down and check the email. Very generic, bla bla bla "please review" more bla, and a random link. URL is not part of our or the sender's domain. How lovely, $SL just trusted the customer's email. We were doing email campaigns back then, which included an external company sending phishing mails to our employees and notifying them if they clicked the links or even entered their credentials. $SL should have known better, but oh well. Just a password reset needed, nothing too bad.
$Me: It looks like your customer's email got hacked and they sent out this email to try to get more credentials from their contact list. Here are the parts where you could have noticed that something was fishy. But not too bad. Not much time has passed and it is just our password for emails.
Back then we had a password for logins, another one for M365 stuff, one for SAP, one for SAP concur and one for SAP Ariba. Don't ask why, we just did way before I had joined.
$SL: Oh ok. But I also tried my other passwords.
*cold sweat*
$Me: Um...what? What do you mean exactly?
$SL: You know, the passwords for SAP stuff. I even tried the affiliated usernames instead of my email.
*If I leave work now and drive to the next airport, I might be at the beach before dinner*
$Me: Why exactly did you do that?
$SL: You know, I just thought it might work
*Absolute genius! Maybe try your Credit card number & expiration date and CV number next?!*
$Me: Oh boy...ok, so we will have to reset all of those now. Sadly, I have to push this up the ladder now and inform our HQ and especially our CIO.
$SL: Oh no! Well, I guess I understand.
*some moments pass in silence*
$SL: But what about the rest of my team?
$Me: What about them?
$SL: Well, since I thought it might be a problem on my laptop only, I forwarded the email to them and had them try their logins too. Do they need to reset their passwords as well?
*There is no way someone can be this dumb. Please tell me there is a hidden camera somewhere and I am on live TV?!*
$Me: Are you joking?
*Insert The Office meme: *softly* Don't*
$SL: No, why?
*Insert The Office meme: Nooooooooooooooooooo*
$Me: Alrighty! You get a new password, you get a new password, and you get a new password!
Making light of the situation was my way of hiding my urge to slap people.
I reset the passwords I was able to reset and then called our internal support line for SAP related support. Explained the situation and I think "No, I am not joking" was used several times. Then I spoke on the voicemail of our CIO as he wasn't picking up.
Still to this day I get something like PTSD twitches when I see $SL's number appear on my phone. I was moved to one of our locations in the US as my wife who is a US citizen got homesick, so I had asked for a transfer and it was granted by our CIO. But $SL still sometimes calls to ask me how I am doing in the US. Nice person, just suffers from being oblivious and gullible.
210
u/goodenough4govtwork 1d ago
And people wonder why phishing is still a thing in the 21st century.
119
u/Chilled_IT It's a model three! 1d ago
From my experience I can tell you, the bigger the company the dumber their idiots. Especially in (upper) management. They can be laser-focused and good at one field but so bad in other fields that you wonder how they stayed alive up to this point in their lives..
76
u/KelemvorSparkyfox Bring back Lotus Notes 1d ago
Way Back When, I worked in a team that (among other things) was responsible for maintaining accounts on the AS/400 estate. Therefore our accounts all had the *SECADM permission.
After a few departmental shuffles, we got a new line manager. He was known, by the other managers, as the chocolate teapot. He talked about falling for one of those scam "Hello-I-am-totally-calling-from-Microsoft" calls, and only worked out that they weren't legit when they rebooted his (personal) laptop. This was someone two grades above me, on at least twice my salary, with a security administration-adjacent role, who fell for a scam call.
So yes, people can be (and are) that dumb. Some of them moreso, and even aggressively so.
37
u/Chilled_IT It's a model three! 1d ago
It feels like you are describing my current *boss*. Our branches in the US had no CIO to probably save money. So the CFO has the oversight over IT here. And oh boy does that CFO like to click buttons and links. In a few months those structures will be torn apart and US IT will be controlled by HQ IT. I cannot wait because that CFO is driving me bonkers.
27
u/KelemvorSparkyfox Bring back Lotus Notes 1d ago
What really infuriated me was that I wanted that role. My line manager knew I wanted it. The director knew I wanted it.
When the vacancy went up, it was kept quiet. My application uncovered something of a shitstorm in HR, and by the time I knew what was going on, he had the job. The rumour mill stated that his ex-wife was friends with the director's wife, and he needed a well-paying job to enable his ex-wife to keep up with the shopping trips. I generally don't put much stock in rumours, but there was no other reason for him to be in that position.
12
u/meitemark Printerers are the goodest girls 23h ago
The director knew he would have to remove parts of your brain to get you to tolerate office politics, and he would have to pay a lot to keep your knowledge intact.
5
u/KelemvorSparkyfox Bring back Lotus Notes 17h ago
He already liked yes-men (and had fired the previous director's direct reports within weeks of starting), so we never really got on. I refused to lie in order to make it possible for him to force another company to change barcodes on a range of SKUs, and when I called out his favouritism, he didn't speak to me for 18 months.
40
u/Candid_Ad5642 1d ago
Way back when ransomware was all the rage, I worked in an MSP
A user in a large financial company got an email, looked like a cold call kinda mail
With a zip file attachment, and instructions to extract the file, with a password, and then double click on the runme.exe file
And encrypted every file the user has access to
This wasn't that companys first ransomware incident, and not the last
16
u/meitemark Printerers are the goodest girls 23h ago
Good news, the user can preform limited technical tasks when instructed. Bad news, the user installed ransomvare.
29
u/StuBidasol 1d ago
I finally had to stop reading and look away from the screen for a minute or two to collect myself when you said she forwarded it to her team to try. I don't even work in IT.
Did she at least get reprimanded?
17
u/Chilled_IT It's a model three! 1d ago
I don't know. Nobody offered any information to me but I also never asked. I never ask those questions as it was 1 or 2 levels above my pay grade. I would hope she got written up or given intensive IT sessions. If $SL ever leaves, I will ask someone, but I would probably be labelled nosy if I did it while the person is still around.
7
29
u/MrRemj 1d ago
The small business hired a new bookkeeper. She seemed a little tech-deficient.
One of the stories was where she walked over to the owner, said "I got your email, I will pay the $58,000 invoice." The owner was like...sure. Great. Thanks for taking care of this.
Wait...who is this invoice for? (Was not his email, was not a real invoice.)
This was one of the many unfortunate stories of "The Bookkeeper Who Lasted One Month".
21
u/TimeSink48 1d ago
So I'm reading along and everything's kind of normal, user messes up and it has to be fixed, oh well that's life. Then the part about trying the other credentials. Well, that's worse, but still to be expected. Then I got to the part about having the rest of the team click the link and that's when "Oh for fuck's sake" escaped my lips. Congratulations, you invoked the PTSD from years ago.
17
u/ThunderDwn 1d ago
<fx : shuddering sobs>
My company has just gone though five separate instances of people doing exactly this.
Despite constant reminders to NOT do it, including specific examples, mandated training courses, more reminders and much, much angst from the IT team.
I feel your pain. Some days I just want to take email away from everyone and publish a notice which reads "Y'all are too fucking stupid to be allowed to play with email! No email for you, one year!"
6
u/Dom_Shady 1d ago
For some reason the company decided to have me as the sole admin...
The headshaking started early in this one.
6
u/nowildstuff_192 1d ago
I was audibly saying "nononononNONONONO" as I was reading. Now I'm upset. Nicely done.
4
u/Kerby233 17h ago
I can spot phishing emails and phoshing excercises from a mile away. That said, I enjoy reporting legit emails sent by "stupid people", who don't follow our internal guidlines, that should help spotting phishing attempts..
10
u/jeffrey_f 1d ago
Implement a60 day passord cycle, can't use the last 25 passwords.........When users complain, without naming names, explain why.
18
u/Chilled_IT It's a model three! 1d ago
Those policies have been implemented by now as well. But back then I didn't have the standing yet. I was the newest addition to the team and the only admin at my location. Password policies were handled globally. If I had made changes on that, the admins at HQ would have had my head. Another 1-2 months after this something happened at one of our other companies within our Holding group. That company had their own AD, used only our SAP servers but had no admin on site. Instead they got serviced by an incompetent MSP. I cannot say anything about it in detail, but let's just say that HAFNIUM had a field day with them. Since I was the only admin with lots of Microsoft Exchange experience, I was chosen to lead the forensic analysis of what happened in joint with 2 European cybercrime organizations (country of origin, country of HQ) and 1 US agency (country of parent company).
The trust that was built during this probably propelled the CIO to support my request of transfer to the US branches. As painful as those endless weeks were (we worked on Sat and Sun too), I have to be thankful for them. Needless to say that our global password policies changed shortly after as well, even when our AD was not compromised. Management got a rough wake-up call and was open for changes.
4
u/Dramatic_Mixture_877 19h ago
Our password system is set up that way now - but they're rolling out a new MFA system that requires a security app that most of my coworkers here in the basement cannot use, due to no signal on their phones, or me, whose phone does not support the app. So, I get a shiny new token soon ...
1
3
u/pocketpc_ 21h ago
At least he didn't start lying or trying to cover up the situation once it started coming unraveled. I'd much rather a user do something stupid and then tell me the truth so we can fix it rather than hiding it until it becomes a bigger problem.
2
u/Horrigan49 15h ago
I think your phishing awareness training could use some tweaking. Or, replace Sales department.
-2
139
u/IICNOIICYO 1d ago
This just kept getting worse and worse lol