Biz & IT —

Trade group exposes 100,000 passwords for Google, Apple engineers

The plaintext passwords were exposed for a full month before being reported.

A breakdown of the 18 most common passwords exposed by IEEE suggest that engineers aren't much better than lay people at choosing secure passcodes.
A breakdown of the 18 most common passwords exposed by IEEE suggest that engineers aren't much better than lay people at choosing secure passcodes.

The world's largest professional organization for computer engineers exposed user names, plaintext passwords, and website activity for almost 100,000 of its members, some of whom are employees of Apple, Google, IBM, and other large companies.

The sensitive information was contained in 100 gigabytes worth of website logs that were publicly available for at least a month on servers maintained by the Institute of Electrical and Electronics Engineers, according to a blog post published by a recent graduate and current teaching assistant at the University of Copenhagen. The 99,979 unique user names Radu Dragusin said he found in the cache comprises about 24 percent of 411,000 members counted in the 2011 IEEE Annual Report.

"It is certainly unfortunate this information was leaked out, and who knows who got it before it got fixed," Dragusin wrote. Elsewhere in the post he said: "If leaving an FTP directory containing 100GB worth of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome."

The exposure is problematic because it could provide outsiders with a candid view of the password choices of some of the world's most influential software and hardware engineers. Many Internet users employ the same or a similar password for multiple accounts, with the average person using just 6.5 passcodes to access 25 separate accounts, according to one landmark study. While there are no public reports of the data circulating on the Internet, many password crackers prefer to keep their password lists a closely guarded secret, so there's no guarantee the information isn't already being used to compromise IEEE members.

Even assuming members chose a randomly generated password that was unique to their IEEE account, Dragusin said the logs recorded more than 376 million Web requests made in a single month for ieee.org addresses.

IEEE officials didn't respond to an e-mail and phone call seeking comment for this article. Dragusin told Ars no one he knows who is a member of IEEE has received notification that their information was exposed.

According to a breakdown provided by Dragusin, a statistically significant sample of the exposed passwords he found are so overused that they typically take less than a second to be cracked by freely available programs such as Hashcat and John the Ripper. The password "123456" (minus the quotes) was used 271 times, while "ieee2012", "12345678", "123456789", and "password" were used 270, 246, 222, and 109 times respectively. Domain names in some of the exposed e-mail addresses included uspto.gov and ieee.org, among others.

Update: An IEEE spokeswoman emailed the following statement: "IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected. IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.

Story updated to add IEEE statement.

Listing image by Jacqui Cheng

Channel Ars Technica