After details were revealed by Radu Dragusin over at IEEElog.com a few days ago that passwords and user details for some 100,000 members of the Institute of Electrical and Electronics Engineers had been made publicly available on the company’s FTP server for at least a month, the organisation has now confirmed it in a communication to members, advising them to change their details immediately.
The IEEE is an organisation that is designed to advance technology and has over 400,000 members worldwide, many of those including employees at Apple, Google, IBM, Oracle and Samsung. It is responsible for globally used standards like the IEEE 802.3 Ethernet standard and the IEEE 802.11 Wireless Networking standard. At an organisation like this, you’d expect security to be high.
Still, this hack was no hoax. The official announcement of it was sent out yesterday and reads: “IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. This matter has been addressed and resolved. None of your financial information was made accessible in this situation.”
The company continued saying though, that it was technically possible that during the time this information was available, that someone could have used it to access a user’s account and therefore, as a “precautionary measure,” the IEEE recommended all users change their account information. Until that time users will not be able to access their account at all.
In what seems like quite a cheeky move, the organisation goes on to explain to users that one of the best ways to protect themselves is to use a strong, unique password for their login. Considering it was an IEEE security blunder that caused the hack, advising other people on password strength seems a bit hypocritical.
That said, in Mr Dragusin’s reveal of the hacked information, he produced a graph detailing some of the most commonly used passwords. Almost 300 people used “123456,” and other variations of numbers in that same configuration, while hundreds of others used passwords like “admin,” “student,” and “ieee2012.” Considering the involvement of IEEE members in pushing the boundaries of current technology, you’d assume we wouldn’t need to turn to Eugene “The Plague” Belford to explain the importance of password security.
KitGuru Says: So the IEE regrets the issue, but doesn’t apologise for the lack of security. The fact also that the communication focused mainly on telling members how to secure their accounts, when it was an IEEE vulnerability that caused the hack and subsequent account leak, is incredibly hypocritical. What do you guys think? Should the IEEE be more apologetic here or is this just something that happens from time to time?