This week it was discovered that a large number member passwords and IDs of the Institute of Electrical and Electronics Engineers (IEEE) were exposed on a publicly available server. Roughly 100GB of log files were discovered by Radu Dragusin a teaching assistant in Denmark on an unsecured FTP server. The data compromised included members information from Apple, Google and even NASA. Dragusin notified IEEE before publishing his analysis of the data on IEEElog.org and the security hole was fixed, however it is not known if anyone else has accessed the data.
The IEEE has not yet stated how the oversight occurred, but fingers are pointing to it being the result of a configuration change leading to an access control failure. The fact that usernames and passwords were being logged to a plaintext file itself is problematic, even if the passwords are being hashed when stored in a database, if such data is logged in plain text it defeats the entire purpose.
It is critical the organizations pay attention to what information is being logged as well as monitor any configuration changes on servers to protect sensitive data and ensure the privacy and security of their customers. Had Dragusin not been ethical, the breach could have been a lot worse, as IEEE would not have known about the breach until it was too late and the data collected could have been used to compromise other organizations.
( Shark photo used under Creative Commons from hermanusbackpackers)