Categories: SecurityWorkspace

IEEE Fesses Up To 100k Password Leak

Around 100,000 plain text passwords belonging to members of the Institute of Electrical and Electronics Engineers (IEEE) have been exposed online, according to a researcher, potentially placing information relating to the US government and major tech firms at risk.

A security researcher claimed unencrypted usernames and passwords belonging to the IEEE membership base, which includes researchers from the likes of Apple, Google and Oracle, were publicly available on an IEEE FTP server for at least one month.

Even user web requests on the IEEE site were revealed, effectively revealing their activity, according to the IEEE log blog, written by Radu Dragusin, currrently a teaching assistant at the Department of Computer Science, Faculty of Science at the University of Copenhagen.

Dragusin said IEEE had failed to restrict access to the server logs for both ieee.org and spectrum.ieee.org allowing them to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/.

A confession

The IEEE, which gives approval for technology standards and describes itself as a “professional association dedicated to advancing technological innovation and excellence for the benefit of humanity”, today admitted that it was aware of the incident and had moved to hide the exposed data.

“IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” a spokesperson said, in an emailed statement sent to TechWeekEurope.

“IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.”

At the time of publication, IEEE had not said why the data was exposed and whether or not it was to add better protections to its passwords, considering they were being stored in plain text, without hashing, salting or any form of encryption.

There are major concerns about the potential connotations of the breach, given the members IEEE, many of whom are engineers working on technologies for government.

“When we’re talking about engineering data that may perhaps underlie national or even international security and defence systems, vague promises to remember to encrypt the login data next time round just don’t cut it.  Websites need to get away completely from storing usernames and passwords on the site – it is massively hazardous and completely unnecessary,” Brian Spector, CEO of two-factor authentication firm CertiVox, told TechWeekEurope.

“This breach is potentially a real triple whammy. Not only have usernames and passwords been made publicly visible, but so have all the actions users have performed on the IEEE website and the visitor activity on another IEEE subsite.

“In hacker terms: I know how to access all your stuff, I know what you’re working on, I can grab it and sell it on, and I can reuse your login details to potentially compromise any other sites or services you appear to subscribe to.”

It’s been a bad year for password security, in which Tesco was caught sending login details in plain text and LinkedIn saw passwords belonging to 6.5 million of its members stolen and published online.

How well do you know Internet security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

19 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

20 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

21 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago