The SolarWind backdoor was deeply integrated into the code, it was injected during their build process, and there is no way that the update server having a weak password was the pivotal factor. Like Russian Intelligence would just give up if there were a strong password instead!

There is practically no chance that the server’s password was in anyway relevant to the hack overall. I can forgive the ignorance from the news media, but some infosec people are repeating this garbage as if it is important part of the SolarWind compromise.

“The offense is routinely underestimated. When companies are hacked, they react as if they had only done this one thing or avoided this one mistake everything would have been okay. The adversary is treated as if they just got lucky.”
— @networkattack

People suggesting that the weak password example is relevant because it illustrates the poor security practices overall. I would agree with you if that was the argument presented. It was not. You have to work with the words ppl said, not what you wish they’d said.

‘’Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”
“This could have been done by any attacker, easily,” Kumar said.’’