Opinion
Matt Levine, Columnist

Bad Passwords Are Securities Fraud

Also beyond Bed Bath, SBF’s cross-examination, capital relief and 6,500 pounds of coins.

By
Matt Levine is a Bloomberg Opinion columnist. A former investment banker at Goldman Sachs, he was a mergers and acquisitions lawyer at Wachtell, Lipton, Rosen & Katz; a clerk for the U.S. Court of Appeals for the 3rd Circuit; and an editor of Dealbreaker.
Contact us:
Provide news feedback or report an error
Site feedback:
Take our SurveyNew Window

If you are a publicly traded software company, and your customers access your product through a server, and you provide them with a default password to log into the server, and the default password is “password,” is that securities fraud? You know the answer!

Yesterday the US Securities and Exchange Commission sued “software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” SolarWinds sells network management software to companies and governments, including “an information technology infrastructure and management platform” called Orion. In 2020, Orion was famously hacked by Russian state actors, who inserted hidden code into Orion software updates and were “then able to remotely exploit the networks and systems of SolarWinds’ customers,” which they used “for the primary purpose of espionage.”

HomeBTV+Market DataOpinionAudioOriginalsMagazineEvents
News
MarketsEconomicsTechnologyPoliticsGreenCryptoAI
Work & Life
WealthPursuitsBusinessweekCityLabSportsEqualityManagement & Work
Market Data
StocksCommoditiesRates & BondsCurrenciesFuturesSectorsEconomic Calendar
Explore
NewslettersExplainersPointed News QuizAlphadots GameThe Big TakeGraphicsSubmit a TipAbout Us
Terms of ServiceTrademarksPrivacy Policy
CareersAdvertise
Ad Choices
Help©2026 Bloomberg L.P. All Rights Reserved.