Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Breach Reveals 100k IEEE.org Members' Plaintext Passwords

Posted by timothy on from the pretty-pictures-ugly-facts dept.

First time accepted submitter radudragusin writes "IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available, but I took the liberty to analyse it briefly."

7 of 160 comments (clear)

  1. Finally! by wonkey_monkey · · Score: 4, Insightful

    Some actual news for nerds, and from the horse's mouth. And graphs and everything. Love it.

    --
    systemd is Roko's Basilisk.
    1. Re:Finally! by Anonymous Coward · · Score: 5, Insightful

      Yeah, but the "most used passwords" should really be a bar graph not a line graph. It's not like the midpoint between "ADMIN123" and "IEE2012" makes any sense.

  2. For God's Sake by Anonymous Coward · · Score: 0, Insightful

    when are we going to all start hashing and salting passwords? It takes virtually no effort to do.

    1. Re:For God's Sake by cdrudge · · Score: 2, Insightful

      Well they are normally transmitted plain text so why shouldn't they be logged in plain text too?

  3. Secure password message falls on deaf ears by Tridus · · Score: 4, Insightful

    You'd think that people involved with the IEEE are a group that should know better, and yet the most common passwords according to the analysis reads like the usual suspects list from other breaches. They're still common, easily guessable passwords. Hashing wouldn't have protected them very long, as these are on the short list for any cracking program to test.

    It should be a wake up call that our current methods of trying to get users to pick secure passwords are a total failure. We need to go back to the drawing board and figure out a better way to get the message across, including tools to make it easy for people to get it right.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  4. Re:posting the most used passwords is probably bad by Spad · · Score: 3, Insightful

    Well with the exception of "SUNIV358", which is something of an outlier, the rest are all pretty standard passwords that you'd expect to see in any dataset like this

  5. It appears to be unguareded data not breach by 140Mandak262Jamuna · · Score: 3, Insightful

    Breach gives the connotation, some one or something broke into something that was protected. Here it looks like IEEE, quite stupidly, left valuable data unguarded.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact