Orvis Exposes Internal Passwords on Pastebin

KrebsOnSecurity found out that American retailer Orvis exposed company credentials and internal passwords on Pastebin.com.

According to Hold Security, Orvis posted the enormous password on the online text storage, containing credentials for managing firewalls, routers, and administrator accounts. A file containing a number of internal usernames and passwords were also posted on the website.

Meanwhile, Orvis claims that the exposure isn’t hazardous as credentials posted were ‘expired.’ Additionally, company spokesperson Tucker Kimball said that these credentials were only available for a day before permanently removed from Pastebin.

Orvis Exposes Internal Passwords


“The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones. We are leveraging our existing security tools to conduct an investigation to determine how this occurred,” said Kimball.

Hold Security lambast Orvis for their statement as the security company found out that the retailer posted two separate occasions last October 4 and 22. Hold Security worked with 4i1.com to see leaked information online.

Security editor Zack Whittaker also criticized Orvis for making excuses for its mistakes. Whittaker posted on his personal Twitter account, “Wow @OrvisFlyFishing leaked hundreds of thousands of internal passwords on Pastebin. Orvis said they were only available for a day. But when @briankrebs said he had evidence to the contrary, Orvis blocked Krebs’ emails from reaching the company.”

Whittaker also added that the company is trying to use the sticking your fingers in your ear tactic to prevent public and media attention.

Files from Orvis contained plaintext usernames and passwords in every online service or security product. These include antivirus engines, data backup services, Linux servers, Netflow data, DNS controls, Oracle database servers, Battery backup systems, Microsoft 365 services, and Encryption certificates.


According to KrebsOnSecurity, Orvis didn’t respond to the follow-up requests for comment via phone or email. The last two emails sent were returned as ‘blocked.’

Critical and sensitive credentials must be kept in a different location, certainly not on websites like Pastebin. According to reports, an employee was behind the move, which is defined as extreme by analysts.

In addition to usernames and passwords, there’s a report saying that one of the leaked credentials contained the combination to the locked safe in the company’s server room.

Orvis was founded in 1856 and based in Vermont. It sells fly fishing equipment and sporting goods while providing mail-order. The company has over 1,700 employees, with 69 retail stores and ten outlets in the United States.