14 DAY TRIAL // On September 18, Romanian researcher Radu Dragusin discovered that the Institute of Electrical and Electronics Engineers (IEEE) was inadvertently sharing the usernames and clear text passwords of 100,000 users on an FTP server.
According to Dragusin, - who currently works in the Computer Science department of the University of Copenhagen, Denmark – the information had been publicly available for at least one month before he identified the issue.
Besides the 100,000 usernames and passwords – many of them belonging to IBM, Google, NASA, Stanford, Samsung, Apple and Oracle employees – the server also exposed the “actions” performed by the affected users on ieee.org. Furthermore, the activity of spectrum.ieee.org customers was also available.
“The simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai,” he wrote in a blog post.
“If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome. Keeping a salted cryptographic hash of the password is considered best practice, since it would mitigate exactly such an access permission mistake,” he added.
IEEE was notified of the incident and the organization rushed to address the issue. However, chances are that others had also accessed the details before the security hole was patched.
According to databreaches.net, the information has already been mirrored on a few websites, which means that the impacted individuals are at risk.
IEEE has told CNET that the issue has been fixed and that they’re in the process of notifying the affected users.
It goes without saying that potential victims should immediately check if their credentials have been exposed and take the appropriate measures to ensure that they will not be misused.