The Institute of Electrical and Electronics Engineers (IEEE) has confirmed that it suffered a major data breach a week ago.
In a statement, posted here, it said that it had "become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords". It confirmed that the matter had been addressed and resolved and confirmed that no financial information was made accessible.
The IEEE said: “However it was theoretically possible for an unauthorised party, using your ID and password, to have accessed your IEEE account. IEEE takes the protection of your privacy very seriously. Therefore, as a precautionary measure, IEEE has terminated access to your account under your current password. The next time you log in, you will be required to authenticate through the series of personal security questions you set up at the time you opened the account and to change your password.”
The statement, signed by IEEE chief marketing officer Patrick D. Mahoney, also said: “Please know that the IEEE takes the issue of safeguarding private information very seriously. We regret the occurrence of this incident and any inconvenience it may have caused you. We value our relationship with you and appreciate your understanding.”
The breach was originally discovered by Ragu Dragusin and is detailed here. He said that the credentials had been stored unencrypted for at least a month on the public FTP server. Dragusin reported the breach to the IEEE and said that among around 100,000 compromised users were Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA and Stanford University.
Dragusin said: “If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome. Keeping a salted cryptographic hash of the password is considered best practice, since it would mitigate exactly such an access permission mistake.
“Also, keeping passwords in logs is inherently insecure, especially plaintext passwords, since any employee with access to logs (for the purpose of analysis, monitoring or intrusion detection) could pose a threat to the privacy of users.”
Brian Spector, CEO of CertiVox, said: “In hacker terms, if I knew how to access all your stuff, I knew what you were working on, I could grab it and sell it on and I could reuse your login details to potentially compromise any other sites or services you appear to subscribe to, I would have had a very good day at the office. Sadly, this is exactly what this breach potentially represents. Not only have usernames and passwords been made publicly visible, but so have all the actions users have performed on the IEEE website and the visitor activity on another IEEE sub-site.
“There is no reason whatsoever, in this day and age, and with the technology available, not to be using two-factor authentication, rather than vulnerable usernames and passwords, to authenticate access to websites - particularly when the kind of data that the IEEE is dealing with is not only commercially sensitive but economically and militarily sensitive too.”
Paul Ayers, VP EMEA of Vormetric, said: “In this particular incident, and with the information we know so far, the biggest mistakes appear to be twofold. First, a failure to take account of the nature of the data amassed and second, a subsequent failure to restrict access to the data. The IEEE files were chronicled when members entered their usernames and passwords on the IEEE site, thus logging personally identifiable credentials, IP addresses and HTTP requests of the visitors.
“This information was then stored unencrypted in a user accessible folder. Given the sensitivity of the information, this was not a best practice scenario.
“If this incident teaches us anything, it's that enterprises need to reconsider what is sensitive data, understand where that data resides, and take proactive measures to secure the sensitive data.”