SAP Hybris / SAP Commerce
SAPenterprise app4 credentials1 default credential
Local Development Admin Console Credential
sap-hybris / admin-console-default
SAP Commerce/Hybris development and accelerator setups commonly include local administrative users for HAC, backoffice, and administration consoles. Production deployments should change seeded/demo credentials and rely on configured identity stores.
Default credentials
admin:nimdaLocation
Hybris Administration Console, Backoffice, SmartEdit, OCC, and storefront loginSAP Commerce user model tables and password hash fields
local.properties, project.properties, impex seed data, and deployment configs
database dumps, initialization exports, and environment backups
Notes
admin/nimda is modeled as a common seeded/development credential; do not assume it is valid for hardened production Commerce Cloud deployments.
Customer / Employee Password Hash
sap-hybris / user-password-hash
SAP Commerce stores employee, administrator, and customer account password hashes in the platform database.
Location
SAP Commerce user/customer/employee item tables and credential attributes
storefront, OCC APIs, Backoffice, HAC, and SmartEditimpex files, sample data, integration tests, and initialization scripts
database dumps and system copies
OAuth / OCC Client Secret
sap-hybris / oauth-client-secret
SAP Commerce OAuth2/OCC integrations use client IDs, client secrets, access tokens, and refresh tokens for API access.
Location
AuthorizationBearer token or Basic client credentials used for OCC/OAuth requests
OAuth client details, access token, and refresh token storage
local.properties, extension config, manifest secrets, and API client configs
HYBRIS_CLIENT_SECRET, SAP_COMMERCE_CLIENT_SECRET, OCC_CLIENT_SECRETCommerce Cloud portal variables, Kubernetes Secrets, and vaults
integration clients and tests
OAuth debug logs and API traces
Database, Mail, Search, and Integration Secrets
sap-hybris / database-mail-integration-secrets
SAP Commerce configuration contains database passwords, SMTP passwords, Solr credentials, payment provider secrets, SSO/SAML keys, and extension-specific integration tokens.
Looks like
pattern(?i)^(db\.password|mail\.smtp\.password|.*\.secret|.*\.password)\s*=\s*.+$Location
local.properties, project.properties, manifest.jsonruntime and extension secret configuration
SAP Commerce Cloud variables, vaults, and Kubernetes/Docker secrets
extension properties, impex, deployment templates, and CI variables
startup, integration, and payment/debug logs
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.