Espanyola de Telefonia exposes .env file with administrator password hash
The brand, backed by Bertín Osborne, publicly exposed a configuration file containing a hash of the administrator password, which was trivially linked to the real password. A textbook case of credential exposure.
Espanyola de Telefonia, the brand endorsed by presenter and singer Bertín Osborne, had its .env configuration file, containing a hash of the administrator password easily linked to the real password, publicly exposed. Reports of this issue circulated within security networks, highlighting a problem that is as basic as it is serious.
An .env file is where many web applications store their credentials and keys: database passwords, API tokens, and in this case, the hash of the administration password. It should never be accessible from outside, and exposing it publicly is one of the most well-known and preventable configuration errors. Having the password in hash form does not mitigate the situation if the hash is weak or predictable: there are tables and tools that can recover the original password from poorly constructed hashes.
Since the issue came to light, it has been mitigated and the URL now returns a 403, the HTTP code for forbidden access. However, because they have not set up a custom error page, the default response includes a code indicating they use a hosting service called IONOS. In other words, blocking access does not erase all the information that an observer can deduce from the server’s response.
The case, although small, is illustrative. Security does not fail due to sophisticated attacks, but because of configuration oversights: a file that shouldn't be visible, a poorly chosen hash, an error response revealing too much information. Properly protecting a service does not start with purchasing expensive products but by not leaving the keys in the door and reviewing what the system reveals when someone probes it.
For a company offering telecommunication services, trust is also a significant part of the product: such a basic oversight, even if no malicious access occurred, leaves the impression that the rest might not be well maintained either.