IEEE admits password leak, says problem fixed

IEEE admits password leak, says problem fixed

Summary: Prestigious engineering, science organization says it is working to inform those affected.

SHARE:

The IEEE late Tuesday admitted that it publicly exposed unencrypted log files on its FTP site that contained plaintext usernames and passwords and said it was in the process of notifying those affected by the incident.

"IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” the IEEE said in a brief statement issued by its PR firm Finn Partners in response to questions from ZDNet. The rest of the statement said, “IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused."

Radu Dragusin, a teaching assistant at the University of Copenhagen, Tuesday reported he found 100,000 usernames and passwords stored in plain text that had been sitting for a month on an FTP server belonging to the Institute of Electrical and Electronics Engineers (IEEE).

He said the compromised accounts belonged mostly to Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other universities and organizations.

Storing passwords is plaintext is considered an unconscionable security faux pas especially by a prestigious organization like the IEEE, which is the largest organization of engineers, scientists and other professionals. It is perhaps best known of its 802.11, wireless networking standard.

Dragusin said in an email exchange Tuesday with ZDNet , that two things went horribly wrong.  “One simple and stupid mistake: public access to logs. The other, more troublesome, keeping passwords in plaintext, which seems to be more on how they architect their login system.”

Dragusin said he is considering building a tool for ieee.org members to verify if their username is in the data he found.

While he said the files he discovered were about a month old, after further digging on the Internet he found 15 web pages worth of 14-month-old IEEE log folders on a Russian Web site.

The discovery indicates the IEEE files have been publicly available for more than a year.

The IEEE in its statement did not specifically address the length of time the log files, usernames and passwords were publicly available.

Dragusin does not know if those folders on the Russian site contain actual log files or are links picked up from the FTP server by a web crawler. But he said the folders’ listing of log files were similar to the files he found last week.

Dragusin found the data on Sept. 18, and spent a few days figuring out what to do with the information, he said. On Sept. 24, he contacted the Institute of Electrical and Electronics Engineers (IEEE), which has more than 400,000 members in more than 160 countries.

Topics: Security, Networking, Privacy

About

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • I like this standard statement

    “IEEE takes safeguarding the private information of our members and customers very seriously"

    Yeah, that's why you store passwords in plaintext?
    kjetil_h
  • Speaking of cleartext...

    Why does ZDNet _still_ not use HTTPS for encrypting their registered users' logins? That is an unconscionable security faux pas.
    The Breeze
  • Can they proofread?

    Do writers at ZDNet proof their text even once for grammatical errors and/or typos? Amazing.
    Hayyward