All the passwords were stored in Active Directory description fields

Jump to main content

Search

REG AD

SECURITY

All the passwords were stored in Active Directory description fields

It was far too easy for a hacker to get the information

Avram Piltch

Avram<br>Piltch

US editor

Published<br>thu 4 Jun 2026 // 06:00 UTC

PWNED Welcome back to PWNED, the weekly column where we talk about weak security policies and how to avoid them. Hopefully, we can learn from others’ mistakes – or at least have a good laugh at them.<br>Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request.<br>This week, we have a tale of password passivity involving Active Directory. It comes to us courtesy of Rob Anderson, head of reactive consulting services at Reliance Cyber, a UK-based security firm.

REG AD

Anderson recalls in the past working with a firm that was creating service accounts that developers needed to use, but the org didn’t have a proper password vault for storing the associated credentials. Instead, to make it easy for team members to find what they needed, they put the passwords into the description field for Active Directory.

REG AD

“People don't realize that as soon as you've got an Active Directory user — just an ordinary user — you can read the comments field or the description field across the whole of Active Directory,” Anderson told The Register. “It's such an amazing lapse of security.”<br>Soon enough, an Initial Access Broker (IAB), someone who specializes in gaining access to protected networks and then selling it to other threat actors, used a phishing campaign and executed offensive hacking tool Sliver on the endpoint. At that point, they captured a victim’s credentials, which led them to query Active Directory.

MORE CONTEXT

Company CEO flooded file share with smut, called for help after he deleted it

Zombie user account let hackers control the city’s water

To gain root access at this company, all an intruder had to do was ask nicely

Finance company stores DB credentials in helpfully labeled spreadsheet

Once in AD, the hackers found plenty of passwords, which came with full domain access. They used this access to delete all the backups and execute ransomware. In total, the crimes put 2000+ users out of action by encrypting Hyper-V hypervisors and their hosts. The company was taken offline for months.<br>What we can learn from this sad story is that you can’t put passwords in cleartext anywhere that's easy to access, unless you want an enormous attack surface. Even without a phish, an untrustworthy colleague could have sold the passwords to a threat actor. After all, a recent survey found one in eight workers think selling company logins can be justified.<br>“I've seen it where configuration details are kept in application servers that are running, and threat actors are using fuzzing — trying likely file and directory names — which again exposes configuration and credentials to the threat actors,” Anderson said.<br>He noted that developers are a bit more savvy these days about where they put their credentials, but security naivete sinks ships. Trust no one. ®

active directory<br>pwned<br>passwords<br>ransomware<br>security

REG AD

SPONSORED LINKS<br>Building the New Trust Architecture for AI - June 4, 10am PT

Security

OpenAI's agent chained decade-old DoS attacks to crash web servers in seconds

Codex drops an HTTP/2 Bomb

ai and ml

AI heavyweights warn their tech could help terrorists develop bioweapons

Scientists and industry leaders push for mandatory DNA synthesis screening

ZTE and partners nurture global ICT talent through 2026 engineering capacity building program

Global ICT experts gather in Shenzhen to master cutting-edge engineering practices and foster international collaboration

ai & ml

Benevolent dictator Zuck will give Meta staff 30-minute breaks from keylogging privacy assault

Tech biz teaching AI to use computers by slurping staff activity

SaaS

AWS reportedly to tuck Elon Musk's Grok into Bedrock, despite zero enterprise demand

The energy drink of frontier models

SYSTEMS

AMD takes a third of server CPU market as shipments grow

Intel still owns the room, but Epyc keeps nicking the furniture

MOST POPULAR

AI and ML

Netflix wiz creates app to slash AI bills, then open sources it

Security

Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops

Security

Troops’ phones gave away location data to foreign adversaries

Personal tech

California passes bill declaring death-by-algorithm to 3D-printed ghost guns

SECURITY

All the passwords were stored in Active Directory description fields

EVENTS

Thriving Through Volatility: The Everpure Advantage in an Uncertain Market

Learn how a consumption-based operating model provides flexibility, improves efficiency, and brings predictability to infrastructure investments.

Overcoming the trade-offs in data sovereignty

What...