Looks like there was a pretty significant accidental discovery earlier this month over on the IEEE.org and Spectrum.IEEE.org websites. Apparently, clear text credentials were left on an open FTP server for a month or so as part of their web server logs. The individual that found this data let IEEE know and at least as of today it’s “partially” fixed. The finder even went so far as to create a website to announce the leak at IEEELog.com. Of course a quick domain lookup reveals they’ve enabled a whois privacy feature. Anyway, here’s the intro on that page.
Data breach at IEEE.org: 100k plaintext passwords.
Using the data to gain insights into the engineering and scientific community
IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available to anyone else.
The story goes on to describe how he or she came across the data.
The simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/ (closed on September 24 around 13:00 UTC, after I reported it). On these logs, as is the norm, every web request was recorded (more than 376 million HTTP requests in total). Web server logs should never be publicly available, since they usually contain information that can be used to identify users (sometimes even after the log was anonymized as in the “AOL incident” ). However, this case is much worse, since 411.308 of the log entries contain both usernames and passwords. Out of these, there seem to be 99.979 unique usernames.
The post closes with an analysis of the logs, an overview of the data, and even some citations supporting their research. Of course they note the obvious issues with clear text passwords and suggest improvements that we (and most everyone else) have discussed before. And perhaps related to this, there are also about 400 IEEE usernames and password hashes over on PasteBin for those so inclined to find them.
Did you find the pastes with the 400 usernames and password hashes? Let us know in the comments below. Today’s post pic is from IEEE.org. See ya!