IEEE data breach: 100K passwords leak in plain text [Update]

A major data breach at IEEE.org has caused 100,000 passwords of employees from Apple, Google, IBM, Oracle and Samsung as well as researches from NASA and Standford (and other institutes) to be publicly available online.

The Institute of Electrical and Electronics Engineers is a non-profit organization that strives to "advance technological innovation and excellence" amongst engineers. Members of the IEEE are highly specialized, and work on very confidential projects in both private companies, government organizations and military projects. 

Yesterday, Radu Dragusin discovered the unencrypted credentials on the IEEE public FTP server, where they had been stored for at least a month in this form. The FTP server was available at ftp://ftp.ieee.org/uploads/akamai/ for anyone who happened to find it, and had also been recording web requests by registered users. When Radu discovered the hole, he saw 376 million HTTP requests recorded unencrypted on the server, with usernames and passwords unobfuscated. 

The problem was reported by Radu to the IEEE yesterday and they quickly took down the server, but the question remains if anyone else gained access to the data. He states on IEEElog.com that he does not plan to release the data, but has provided a number of graphs that visualize the extent of the data breach. It's slightly chilling when you see the data on a world map.

The IEEE is yet to even acknowledge the breach, and isn't returning calls related to the issue.

Update: The IEEE has acknowledged the issue, and sent the members email suggesting they reset their passwords. More info can be found on the IEEE's website and on Dragusin's website

Report a problem with article
Previous Story

Microsoft makes Windows Azure investment in Mimvi

Next Story

Samsung remote reset exploit fixed for the Galaxy S III

20 Comments

Commenting is disabled on this article.

warwagon said,
I recently signed up for "a website" and they sent me a conformation email including my password.

I hate it when sites do that; unfortunately it's far too common. That's why I always use a unique password for every website.

Oh Jesus Christ, what a ridiculous occurrence.

Seriously, you'd think that the IEEE at least knows the very basic principles of a member database, no?

I think it's time for some draconian laws really.

GS:mac

They're probably using systems designed back in the early 90's when this sort of thing was barely an issue. (Obviously though that's no excuse)

They weren't, come on, reading isn't even a little bit hard.

The Apache access.log was available for world readable access on the FTP server which included passwords that had been POSTed. The access.log shouldn't have been readable and the POST shouldn't include the password but that's at least slightly better then straight up storing plaintext.

I imagine it's a fairly commonly overlooked attack vector.

~Johnny said,
They're probably using systems designed back in the early 90's when this sort of thing was barely an issue. (Obviously though that's no excuse)

barely an issue? you must be joking. hacking was rife back then, even worse then we have it now. the only reason we see more disclosures is because its been made acceptable to show proof of concept and name (and sometimes shame) companies who fall victim of hacks and more main stream news sites report on it rather then having to go to a dedicated security focused website.

ascendant123 said,
They weren't, come on, reading isn't even a little bit hard.

The Apache access.log was available for world readable access on the FTP server which included passwords that had been POSTed.

I checked my access.log and it does not contain any POST (or GET) information

127.0.0.1 - - [14/Mar/2012:12:36:30 -0400] "GET /***/install/css.php HTTP/1.1" 200 70037
127.0.0.1 - - [14/Mar/2012:12:37:01 -0400] "POST /***/install.php HTTP/1.1" 303 576
127.0.0.1 - - [14/Mar/2012:12:37:02 -0400] "GET /***/index.php?lang=en HTTP/1.1" 200 32698
127.0.0.1 - - [14/Mar/2012:12:37:05 -0400] "GET /***/reset-min.css HTTP/1.1" 200 820
127.0.0.1 - - [14/Mar/2012:12:37:05 -0400] "GET /***/grids-min.css HTTP/1.1" 200 1401
127.0.0.1 - - [14/Mar/2012:12:37:05 -0400] "GET /***/base-min.css HTTP/1.1" 200 711

I know that it is possible to have a more verbose log file but, it is not activated by default.

Brony said,
I checked my access.log and it does not contain any POST (or GET) information

Depends how the server is configured. If you really wanted to you could have the log contain all sorts of information, post data included. mod_dumpio for example can log everything. Obviously not something that should be done in a production environment though.. just an example, no idea if this is what these guy did.

Brony said,

I checked my access.log and it does not contain any POST (or GET) information

127.0.0.1 - - [14/Mar/2012:12:36:30 -0400] "GET /***/install/css.php HTTP/1.1" 200 70037
127.0.0.1 - - [14/Mar/2012:12:37:01 -0400] "POST /***/install.php HTTP/1.1" 303 576
127.0.0.1 - - [14/Mar/2012:12:37:02 -0400] "GET /***/index.php?lang=en HTTP/1.1" 200 32698
127.0.0.1 - - [14/Mar/2012:12:37:05 -0400] "GET /***/reset-min.css HTTP/1.1" 200 820
127.0.0.1 - - [14/Mar/2012:12:37:05 -0400] "GET /***/grids-min.css HTTP/1.1" 200 1401
127.0.0.1 - - [14/Mar/2012:12:37:05 -0400] "GET /***/base-min.css HTTP/1.1" 200 711

I know that it is possible to have a more verbose log file but, it is not activated by default.

This is how it actually looked (of course, changed ip, username, password):


70.25.215.104 - - [18/Aug/2012:00:11:29 +0000] "GET
/origin.http://www.ieee.org/ieee-mashu...BLOckED&_=2144268793125
HTTP/1.1" 200 590 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT
6.1; WOW64; Trident/5.0)" "-"