Wednesday, September 26, 2012

100k IEEE site Plain-Text Passwords found on Public FTP

A Romanian researcher – Radu Drăgușin found that 100000 usernames and passwords of the Institute of Electrical and Electronics Engineers (IEEE) was stored in plaint-text on a publicly accessible FTP server.

According to him, on Sept. 18 he first discovered a log with usernames and passwords in plaintext, publicly available via IEEE’s FTP server for at least a month. He informed them of his find yesterday, and evidently the organization is addressing the issue.
On the FTP server, according Dragusin were the logfiles for the offers and ieee.org spectrum.ieee.org – Total data to approximately 376 million HTTP requests. Including 411,308 log entries with login and password in plain text.
Among the users who’s information was exposed are researchers at NASA, Stanford, IBM, Google, Apple, Oracle and Samsung. IEEE’s membership of over 340,000 is roughly half American (49.8 percent as of 2011).
IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available to anyone else.” Message posted on researcher’s site.
Source: THN