BMC Software said Thursday that a default password suspected of playing a role in the massive Target security breach “is not a BMC-generated password.”
The Houston-based company was responding to cybersecurity blogger Brian Krebs, who wrote on Wednesday that he suspects that a component of the malware used against Target appeared to be mimicking a default password from a widely used BMC software product. But BMC said it has no evidence that this is the case.
“At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack,” the company said. “BMC Software has received no information from Target or the investigators regarding the breach.”
Krebs said he doesn’t think the company’s statement rules out the possibility that user accounts installed by BMC software may have been used to help the attackers steal card data from Target. He said BMC’s own documentation shows that accounts installed with the software can be used to run simple programs.