Lenovo’s target market is enterprise customers, which makes their repeated security issues rather perplexing.
In 2015 they released PCs with Superfish adware which made them vulnerable to being remotely exploited. In 2016 they released PCs with a vulnerable driver. Also in 2016 their Lenovo Solution Centre (LSC) included a vulnerability which could allow anyone to execute arbitrary code if they have access to your local network,
The company has once again let the side down by exposing Lenovo PC owners to being having their private information stolen.
On this occasion it was discovered that Lenovo’s Fingerprint Manager Pro software comes with a hardcoded password, weak encryption, can be accessed from accounts without admin privileges and exposes a user’s login credentials and fingerprint data.
The software came installed on around 50 ThinkPad, ThinkCentre or ThinkStation models, but the good news is that only Windows 7, 8 and 8.1 devices are affected, as Microsoft took direct charge of biometric security with Windows Hello in Windows 10, making the software unnecessary.
The software can also not be exploited remotely, though presumably a local exploit e.g. on a shared PC would reveal all your data.
Lenovo has released a patch which can be found here.