IEEE Fesses Up To 100k Password Leak

Around 100,000 plain text passwords belonging to members of the Institute of Electrical and Electronics Engineers (IEEE) have been exposed online, according to a researcher, potentially placing information relating to the US government and major tech firms at risk.

A security researcher claimed unencrypted usernames and passwords belonging to the IEEE membership base, which includes researchers from the likes of Apple, Google and Oracle, were publicly available on an IEEE FTP server for at least one month.

Even user web requests on the IEEE site were revealed, effectively revealing their activity, according to the IEEE log blog, written by Radu Dragusin, currrently a teaching assistant at the Department of Computer Science, Faculty of Science at the University of Copenhagen.

Dragusin said IEEE had failed to restrict access to the server logs for both ieee.org and spectrum.ieee.org allowing them to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/.

A confession

The IEEE, which gives approval for technology standards and describes itself as a “professional association dedicated to advancing technological innovation and excellence for the benefit of humanity”, today admitted that it was aware of the incident and had moved to hide the exposed data.

“IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” a spokesperson said, in an emailed statement sent to TechWeekEurope.

“IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.”

At the time of publication, IEEE had not said why the data was exposed and whether or not it was to add better protections to its passwords, considering they were being stored in plain text, without hashing, salting or any form of encryption.

There are major concerns about the potential connotations of the breach, given the members IEEE, many of whom are engineers working on technologies for government.

“When we’re talking about engineering data that may perhaps underlie national or even international security and defence systems, vague promises to remember to encrypt the login data next time round just don’t cut it.  Websites need to get away completely from storing usernames and passwords on the site – it is massively hazardous and completely unnecessary,” Brian Spector, CEO of two-factor authentication firm CertiVox, told TechWeekEurope.

“This breach is potentially a real triple whammy. Not only have usernames and passwords been made publicly visible, but so have all the actions users have performed on the IEEE website and the visitor activity on another IEEE subsite.

“In hacker terms: I know how to access all your stuff, I know what you’re working on, I can grab it and sell it on, and I can reuse your login details to potentially compromise any other sites or services you appear to subscribe to.”

It’s been a bad year for password security, in which Tesco was caught sending login details in plain text and LinkedIn saw passwords belonging to 6.5 million of its members stolen and published online.

How well do you know Internet security? Try our quiz and find out!