IEEE admits password leak, says problem fixed

Prestigious engineering, science organization says it is working to inform those affected.
Written by John Fontana, Contributor

The IEEE late Tuesday admitted that it publicly exposed unencrypted log files on its FTP site that contained plaintext usernames and passwords and said it was in the process of notifying those affected by the incident.

"IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” the IEEE said in a brief statement issued by its PR firm Finn Partners in response to questions from ZDNet. The rest of the statement said, “IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused."

Radu Dragusin, a teaching assistant at the University of Copenhagen, Tuesday reported he found 100,000 usernames and passwords stored in plain text that had been sitting for a month on an FTP server belonging to the Institute of Electrical and Electronics Engineers (IEEE).

He said the compromised accounts belonged mostly to Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other universities and organizations.

Storing passwords is plaintext is considered an unconscionable security faux pas especially by a prestigious organization like the IEEE, which is the largest organization of engineers, scientists and other professionals. It is perhaps best known of its 802.11, wireless networking standard.

Dragusin said in an email exchange Tuesday with ZDNet , that two things went horribly wrong.  “One simple and stupid mistake: public access to logs. The other, more troublesome, keeping passwords in plaintext, which seems to be more on how they architect their login system.”

Dragusin said he is considering building a tool for ieee.org members to verify if their username is in the data he found.

While he said the files he discovered were about a month old, after further digging on the Internet he found 15 web pages worth of 14-month-old IEEE log folders on a Russian Web site.

The discovery indicates the IEEE files have been publicly available for more than a year.

The IEEE in its statement did not specifically address the length of time the log files, usernames and passwords were publicly available.

Dragusin does not know if those folders on the Russian site contain actual log files or are links picked up from the FTP server by a web crawler. But he said the folders’ listing of log files were similar to the files he found last week.

Dragusin found the data on Sept. 18, and spent a few days figuring out what to do with the information, he said. On Sept. 24, he contacted the Institute of Electrical and Electronics Engineers (IEEE), which has more than 400,000 members in more than 160 countries.

Editorial standards