[ChuckNorris89]

Simple, human error and no code review process for your production environment.

Something similar happened to a huge retailer here in Austria where just typing your username without password would log you in. Reason? An intern committed debug code to production and nobody noticed. In my book that's not the fault of the intern but the fault of the CTO/$TECH_LEAD that hasn't implemented and religiously uphold a code review process for everything that goes into production since stuff like this could happen even to experienced engineers that are tired or having a bad day.

[kernaussage]

I live in Austria as well, could you share to which retailer it happened?

[jbverschoor]

It shouldn’t be a manual code switch in the first place.

[ummonk]

What else would it be? The authentication code would live somewhere. And for debugging someone could change it to always return successful for an empty password. That debugging change shouldn't be checked in of course, and it should have been caught in code review. (It's a reasonable oversight for the authentication unit tests to only test incorrect passwords rather than the edge case of empty passwords)

[jfkebwjsbx]

It is the fault of both.

Interns are not stupid and so they have to carry the burden of their mistakes too.

[kortilla]

No, absolutely not. As an engineer you develop systems and processes that don’t allow such major mistakes.

You can’t fault people for making simple mistakes or you’ll end up with an organization where nothing gets done.

[jfkebwjsbx]

Every single human holding a responsibility at any level gets blame all the time. There is nothing wrong with that, nor with making mistakes, and it is a fact of life.

Engineering processes are orthogonal to that.