A major data breach at IEEE.org has caused 100,000 passwords of employees from Apple, Google, IBM, Oracle and Samsung as well as researches from NASA and Standford (and other institutes) to be publicly available online.
The Institute of Electrical and Electronics Engineers is a non-profit organization that strives to "advance technological innovation and excellence" amongst engineers. Members of the IEEE are highly specialized, and work on very confidential projects in both private companies, government organizations and military projects.
Yesterday, Radu Dragusin discovered the unencrypted credentials on the IEEE public FTP server, where they had been stored for at least a month in this form. The FTP server was available at ftp://ftp.ieee.org/uploads/akamai/ for anyone who happened to find it, and had also been recording web requests by registered users. When Radu discovered the hole, he saw 376 million HTTP requests recorded unencrypted on the server, with usernames and passwords unobfuscated.
The problem was reported by Radu to the IEEE yesterday and they quickly took down the server, but the question remains if anyone else gained access to the data. He states on IEEElog.com that he does not plan to release the data, but has provided a number of graphs that visualize the extent of the data breach. It's slightly chilling when you see the data on a world map.
The IEEE is yet to even acknowledge the breach, and isn't returning calls related to the issue.
Update: The IEEE has acknowledged the issue, and sent the members email suggesting they reset their passwords. More info can be found on the IEEE's website and on Dragusin's website
20 Comments - Add comment