IEEE Site Exposes 100,000 Plaintext Usernames and Passwords
A server belonging to the Institute of Electrical and Electronics Engineers was found hosting a publicly available file containing plaintext usernames and passwords of 100,000 workers from Apple, Google, IBM, Oracle, Samsung, NASA, Stanford, and others.
The issue was discovered by Radu Dragusin, a computer scientist at FindZebra, who notified IEEE, enabling the institute to “partially” fix the issue. Besides this file, webserver logs detailing user actions performed on ieee.org and spectrum.ieee.org were also available for at least a month.
“On these logs, as is the norm, every Web request was recorded (more than 376 million HTTP requests in total),” said Dragusin in a blog post. “Web server logs should never be publicly available, since they usually contain information that can be used to identify users….”
Over 100 GB of logs were available to everyone with access to the FTP directory, raising serious privacy and security issues, as an employees with access could have easily found the plaintext usernames and passwords within the logs as well.
Although setting access permissions to FTP files is considered a simple mistake, keeping passwords in plaintext is unacceptable, warns Dragusin. IEEE said it’s investigating the problem and affected users will be notified.
“IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” the organization said. “IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.“