The world’s largest professional organization for computer engineers exposed user names, plaintext passwords, and website activity for almost 100,000 of its members, some of whom are employees of Apple, Google, IBM, and other large companies.
The sensitive information was contained in 100 gigabytes worth of website logs that were publicly available for at least a month on servers maintained by the Institute of Electrical and Electronics Engineers, according to a blog post published by a recent graduate and current teaching assistant at the University of Copenhagen. The 99,979 unique user names Radu Dragusin said he found in the cache comprises about 24 percent of 411,000 members counted in the 2011 IEEE Annual Report.
“It is certainly unfortunate this information was leaked out, and who knows who got it before it got fixed,” Dragusin wrote. Elsewhere in the post he said: “If leaving an FTP directory containing 100GB worth of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome.”
The exposure is problematic because it could provide outsiders with a candid view of the password choices of some of the world’s most influential software and hardware engineers. Many Internet users employ the same or a similar password for multiple accounts, with the average person using just 6.5 passcodes to access 25 separate accounts, according to one landmark study. While there are no public reports of the data circulating on the Internet, many password crackers prefer to keep their password lists a closely guarded secret, so there’s no guarantee the information isn’t already being used to compromise IEEE members.