"In SaaS, the biggest threat is rarely technical," Gregory Shein told us.
Gregory Shein, Nomadic Soft, and a client decision
Gregory Shein, founder and CEO of software development firm Nomadic Soft, described a client choice that collapsed convenience into catastrophe. The client deliberately used the same administrative password across staging and production environments and—despite spending more than $30,000 on security tools—pinned that password in a shared Slack channel "so that everyone who needed it would find it easily." The password in use was the plain-text string "admin123."
How a common password and a pinned Slack message created a single point of failure
The password "admin123" is not obscure. NordPass, the password-management vendor that maintains a list of the 200 most common passwords, ranks "admin123" as the 10th most popular password in the world; "admin" occupies the second spot while "123456" is the top entry. The column notes that even if the pinned password had been a long, cryptic token such as "Vu+}}?8wV?5TPy2cLBqc=" sharing it in a public channel would still have been a mistake.
A former contractor's "testing" session ended in a full data wipe
Months after the password was circulated, a former contractor used the shared credentials to log in for what was described as "testing." That login did not produce benchmarks or quality assurance; instead it triggered a full data wipe. The result was significant data loss for the client whose administrative access had been effectively communal. The PWNED column frames the episode as an example of human shortcuts breaking tools that were otherwise intended to protect systems.
Response at Nomadic Soft: forced rotation and role-based access
In response, Nomadic Soft implemented forced credential rotation combined with role-based access control (RBAC). According to Shein, that change reduced unauthorized access attempts by 60 percent in a period of three months. The column also relays Shein’s broader assessment: "Most teams chase advanced security while ignoring the obvious gaps right in front of them."
The PWNED columnist added procedural recommendations, suggesting that organizations implement multi-factor authentication and replace passwords with passkeys where systems support them.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: The episode underscores that access hygiene—unique credentials per environment, least-privilege role assignments, and deprovisioning of former contractors—is a low-tech but high-impact control. Forced credential rotation plus RBAC produced a measurable 60 percent drop in unauthorized access attempts at Nomadic Soft's client, according to Shein.
- Procurement and budget owners: Spending on security tools does not automatically translate into protection. The client had spent more than $30,000 on security tooling yet lost data after a simple password-sharing practice. Procurement leaders will want to ensure purchases are accompanied by controls and operating practices that address human behavior.
- End users and administrators: Convenience-driven practices—reusing an admin password across environments and pinning it in a widely accessible chat channel—amplify risk. The column’s advice to adopt multi-factor authentication and passkeys is presented as a practical complement to access controls and rotation.
The ledger on this case is straightforward: a well-worn password, broadcast where anyone could find it, allowed a former contractor to trigger a complete data wipe despite a substantial investment in security tools. The corrective steps taken—forced rotation and RBAC—cut unauthorized access attempts by a reported 60 percent in three months. The practical question that remains for organizations is not whether they can buy better tools, but whether they will fix the simplest, most exposed failures first.




