The username and passwords of nearly 100,000 members of the IEEE where left in plain text on a publicly available FTP server for a month before being discovered last week by a teaching assistant in the computer science department at the University of Copenhagen.
Storing passwords is plaintext is considered an unconscionable security faux pas especially by a prestigious organization like the Institute of Electrical and Electronics Engineers (IEEE).
In addition, 100GB of web server log files from the ieee.org and spectrum.ieee.org Web sites were publicly available because administrators failed to set access controls. The logs showed 376 million HTTP requests, with 411,308 including both usernames and passwords.
The compromised accounts belonged mostly to Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other universities and organizations.
The IEEE has yet to publicly acknowledge the data leak. It did not return calls Tuesday asking for comment.
Romanian university teaching assistant Radu Dragusin said in an email exchange that two things went horribly wrong. “One simple and stupid mistake: public access to logs. The other, more troublesome, keeping passwords in plain text, which seems to be more on how they architect their login system.”
He said the plaintext password problem is likely on-going. “While the first issue [log files] is clearly solved, I doubt the second is,” he said.
He said on his Twitter site Tuesday: “How long until IEEE acknowledges the breach and informs users? More than a day since I informed them on the breach and the hole got plugged.”
Dragusin said he is considering building a tool for ieee.org members to verify if their username and password is in the data he found. He also vowed not to release the data.
While he said the files he discovered were about a month old, after further digging on the Internet he found 15 web pages worth of 14-month-old IEEE log folders on a Russian Web site.
The discovery means that IEEE sensitive data has been publicly available for more than a year.
Dragusin does not know if those folders on the Russian site contain actual log files or are links picked up from the FTP server by a web crawler. But he said the folders’ listing of log files were similar to the files he found last week.
Dragusin found the data on Sept. 18, and spent a few days figuring out what to do with the information, he said. On Sept. 24, he contacted the IEEE, which has more than 400,000 members in more than 160 countries.
Once contacted, the IEEE fixed the log file problem within five hours.
He said he made his discovery while looking on the IEEE FTP server for possible open access research articles.
The IEEE, billed as the largest professional association for the advancement of technology, is made up of engineers, scientists and other professionals. It is perhaps best known of its 802.11, wireless networking standard.
Dragusin provided this overview of the data:
- Log data time span: 01/Aug/2012:20:46:28 +0000 to 18/Sep/2012:08:47:17 +0000
- Total number of log entries: 376.021.496
- log entries for ieee.org: 301.319.566
- log entries for spectrum.ieee.org: 74.701.930
- log entries with password details: 411.308 (of which 17.157 are password reset requests and have no username field)
- Most popular password: 123456; (password was fifth).
- The top email domains were gmail.com, yahoo.com, hotmail.com
More of Dragusin's data analysis can be found here.