is resetting the passwords of registered members of its Web site after discovering a flaw in its internal search tool that could have exposed them.
John Noh, a Cisco spokesman, said the password reset, which the company initiated Monday, was a precautionary measure to ensure users’ safety.
He added the company doesn’t believe any sensitive information was compromised.
Noh wouldn’t say how many registered users the site hosts but said the vulnerability affected employees, business partners and third-party users. He said the company has reset the passwords for everyone, but is still in the process of resetting them for third-party users.
“This was a vulnerability that impacted an internal search tool on Cisco.com,” he said. “It was a security research organization that brought it to our attention and we fixed it immediately.”
He declined to comment on the details of the vulnerability, but said the security firm that tipped them off in the first place did not want its name publicized.
Members at Cisco.com receive the following message when they try to log on using their user names and passwords:
“Cisco has determined that Cisco.com password protection has been compromised. As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to [email protected] Account details with a new random password will be e-mailed to you.”
Noh said they expect delays as members request the new password from Cisco.
It’s another black eye for the popular network equipment manufacturer, which last week took legal steps to block a former Internet Security Systems (ISS) analyst from discussing a security vulnerability in its software at a Black Hat convention.
The move caused an uproar in the Internet community, of which some believed the company’s efforts to silence the researcher backfired.
Though the two events are unrelated, they have tarnished the image of security for equipment that’s critical to running the Internet.
Rich Miller, an analyst at Internet services company Netcraft, said there will be a lot of attention paid to this matter of compromised passwords; full disclosure will be in the company’s best interest.
“There’s a lot of focus on Cisco, so to have something like this happen right now, it’s probably not what they were looking for,” he said. “I think it would behoove Cisco to try and explain to folks, given that nervousness, what’s going on here.”