• 2 min read
Law firm gave staff one master password for every account
A law firm let employees log in as any staff member or client with a shared admin password, exposing personal and health data.

Image: The Register
A law firm gave multiple employees a master password that could log them in as any user in the system, according to a reader account published by The Register in its weekly PWNED column.
The reader, identified as “Manny,” said he joined the firm a few years ago after being hired to replace an entire IT team, effectively becoming a one-person IT department. He found the company’s data and applications inside a single web-based interface, split into sections by client type, including personal injury cases and travel refunds.
The biggest problem was an admin password that acted as a universal key. Anyone with that password — and, Manny said, many people at the firm had it — could enter any account as long as they knew the user’s email address. That applied to both staff and clients, giving access to detailed personal information, including health records.

Recommended reading
AI won’t replace penetration testers just yet
“I immediately raised this as a huge security risk,” Manny told The Register. “But I was told, 'Oh that’s the admin password, everyone uses it. Don’t touch it.'”
Manny said the shared password was used for routine workarounds: staff could sign in as a sick colleague to reassign work, or log in as a client to complete missing fields on their behalf. He described the platform as 15 years old and badly in need of replacement.
When asked to build a new system, Manny said he refused to include a similar back door. According to his account, management responded by making every user a system admin instead.
The case is less about technical sophistication than basic controls: shared credentials, broad admin access, and management overriding security objections in a business handling highly sensitive legal and medical data.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via The Register


