A programmer found nearly 100,000 unprotected usernames and passwords on the Institute of Electrical and Electronics Engineers’ servers, according to his analysis released today. The IEEE is now working to clean up the mess.
The IEEE is a well-known organization for technologists and has over 400,000 members. On September 18, Romanian programmer Radu Dragusin discovered unencrypted IEEE login credentials left publicly available on its FTP server. He says he found “99,979 unique usernames” and passwords. The servers also showed all of the members’ activities on the website and may have remained unprotected for at least a month.
“IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” the organization told VentureBeat in an email. “IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.”
Dragusin says he has no intention of releasing the data, though he suspects others already have their hands on it.
As Ars Technica points out, while this is an embarrassment for the IEEE, what might be more embarrassing are the kinds of passwords being used by the members. Among the 99,979 usernames and passwords he found, 271 people used the password
123456, followed by
In his analysis, Dragusin notes that a number of the users are from famous technology companies such as Apple, Samsung, Google, IBM, and even NASA.
He also obtained a copy of the notification letter the IEEE sent out to infected members. It says “this matter has been addressed and resolved,” and assures users that no financial information was exposed. The organization also urged members to create a strong password, and included instructions on how to do so.