The Institute of Electrical and Electronics Engineers (IEEE) said an issue that arose in conjunction with its proxy server provider was to blame for last week's breach.
The breach, which was announced and reported by SC Magazine last week, saw the usernames and passwords of more than 100,000 IEEE members being revealed, leading to the IEEE terminating access to user's accounts under their current password.
The statement said: “The incident related to the communication of user IDs and passwords between two specific applications within our internal network, resulting in the inclusion of such data in web logs.
“An anomaly occurred with a process executed in coordination with a proxy provider of IEEE, with the result that copies of some of the logs were placed on our public FTP server. These communications affected approximately two per cent of our users. The log files in question contained user IDs and accompanying passwords that matched our directory. The primary logs were, and are, stored in protected areas.
Upon discovering this exposure, IEEE immediately removed those files, ceased receiving those log files from the proxy provider and corrected the inter-application communication that resulted in the logs containing user IDs and passwords.”
It said that it does not store its corporate directory information in the clear, does not expose it to the public and denied that the corporate directory was compromised. It also said that after affected user accounts were locked down, only affected users were notified and that institutional account information was unaffected.
It also said that IEEE follows security best practices based on ISO and NIST standards and it reviews these standards to ensure that it follows a certain security methodology in its practices and processes.
“We thank IEEE's more than 2.5 million global users for their continuing support. IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused,” it said.
Radu Dragusin, a computer science researcher at the University of Copenhagen in Denmark, detailed his discovery of the IEEE's FTP site with the clear text details, which he said had been stored unencrypted for at least a month on the public FTP server.
Dragusin said: “If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plain text is much more troublesome. Keeping a salted cryptographic hash of the password is considered best practice, since it would mitigate exactly such an access permission mistake.”