AUSTIN (KXAN/Reuters) — After it was revealed Austin-based SolarWinds was part of a massive U.S. government hack which targeted the Treasury and Commerce departments, among other agencies, security researchers say the company’s update server was easily accessible last year.

In a Dec. 15 Reuters report, Security researcher Vinoth Kumar said last year, he told SolarWinds that anyone could access its update server by using the password “solarwinds123”.

The company’s update server was how the cyberespionage campaign was carried out. Hackers got into the networks by putting malware in a SolarWinds software update.

SolarWinds explained the “potential vulnerability” stemmed from updates released between March and June for its Orion software. Orion helps organizations monitor their online networks.

Reuters also reports other cybersecurity leaders noticed the compromised software updates could still be downloaded, days after the company found out about the hack.

SolarWinds has over 300,000 clients, and 18,000 have been affected at least by this attack. Many experts believe Russia is behind it.