Around 100,000 plain text passwords belonging to members of the Institute of Electrical and Electronics Engineers (IEEE) have been exposed online, according to a researcher, potentially placing information relating to the US government and major tech firms at risk.
A security researcher claimed unencrypted usernames and passwords belonging to the IEEE membership base, which includes researchers from the likes of Apple, Google and Oracle, were publicly available on an IEEE FTP server for at least one month.
Dragusin said IEEE had failed to restrict access to the server logs for both ieee.org and spectrum.ieee.org allowing them to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/.
The IEEE, which gives approval for technology standards and describes itself as a “professional association dedicated to advancing technological innovation and excellence for the benefit of humanity”, today admitted that it was aware of the incident and had moved to hide the exposed data.
“IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” a spokesperson said, in an emailed statement sent to TechWeekEurope.
“IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.”
At the time of publication, IEEE had not said why the data was exposed and whether or not it was to add better protections to its passwords, considering they were being stored in plain text, without hashing, salting or any form of encryption.
There are major concerns about the potential connotations of the breach, given the members IEEE, many of whom are engineers working on technologies for government.
“When we’re talking about engineering data that may perhaps underlie national or even international security and defence systems, vague promises to remember to encrypt the login data next time round just don’t cut it. Websites need to get away completely from storing usernames and passwords on the site – it is massively hazardous and completely unnecessary,” Brian Spector, CEO of two-factor authentication firm CertiVox, told TechWeekEurope.
“This breach is potentially a real triple whammy. Not only have usernames and passwords been made publicly visible, but so have all the actions users have performed on the IEEE website and the visitor activity on another IEEE subsite.
“In hacker terms: I know how to access all your stuff, I know what you’re working on, I can grab it and sell it on, and I can reuse your login details to potentially compromise any other sites or services you appear to subscribe to.”
It’s been a bad year for password security, in which Tesco was caught sending login details in plain text and LinkedIn saw passwords belonging to 6.5 million of its members stolen and published online.
How well do you know Internet security? Try our quiz and find out!
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…