100k IEEE clear text passwords exposed on FTP server

Clear-text usernames and passwords of roughly 100,000 Electrical and Electronics Engineers (IEEE) members has been found on a public server.

University of Copenhagen computer science researcher Radu Dragusin discovered the credentials in a 100Gb cache on the FTP site.

The files included visitor IP addresses and HTTP requests were chronicled whenever a member entered their username and password on the IEEE site. The ZIP archive was located in a folder labeled Akamai, the name of the content delivery giant.

Dragusin estimated the information was publicly available for at least a month.

"Anybody could do it," Dragusin said of his discovery, which he detailed in a comprehensive blog post. "It's not very sophisticated."

He said the IEEE failed on two fronts. For starters, the access preferences on the FTP server incorrectly were entered, leading to a misconfiguration that allowed the logs to be publicly available.The directory should have been restricted to administrators only.

Secondly, and perhaps more worrying, is that the IEEE apparently made it a practice to store passwords in logs and were captured and kept in clear text without encryption.

Dragusin did not share the data and notified the IEEE last week and which point the files were removed.

The breach was particularly notable, considering many of IEEE's members were security professionals, and the organisation had devised security standards, including ones that cover encryption and key management. The victims worked in companies including Apple, Google, IBM, Oracle, Samsung and NASA, Dragusin said.

"It's not an organisation in which you can just be a member, like a social website. They must have a specific type of training. These members are highly skilled individuals."

The IEEE did not return requests for comment.

This article originally appeared at scmagazineus.com