Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Identity & Access

IEEE Exposed 100k Plaintext Usernames, Passwords on FTP Server

IEEE Passwords Exposed

The Institute of Electrical and Electronics Engineers (IEEE) stored usernames and passwords for its users in a plain-text file on a publically accessible server, a Romanian computer scientist has claimed.

IEEE Passwords Exposed

The Institute of Electrical and Electronics Engineers (IEEE) stored usernames and passwords for its users in a plain-text file on a publically accessible server, a Romanian computer scientist has claimed.

A plaintext file containing nearly 100,000 credentials were accessible on an IEEE.Org FTP server for at least one month before it was discovered on Sept. 18, Radu Drăgușin, a teaching assistant in the computer science department at the University of Copenhagen, Denmark, wrote on the site Tuesday. The file contained users who were employees at companies such as Apple, Google, IBM, Oracle, and Samsung, as well as researchers from NASA, Stanford University, and other institutions, Dragusin wrote.

In addition to exposing username and passwords for IEEE members, the FTP server contained the Website logs and visitor activity log for, Dragusin said. It appears the IEEE Web administrators “failed to restrict access” to theWeb server logs for both sites, allowing anyone to view the contents. Every Web request to the Web sites, or more than 376 million HTTP requests, were recorded in those files, Dragusin wrote.

Web server logs should never be publicly accessible as the files generally contain information that can be used to identify users and correlate their browsing activity. It appears that IEEE has closed that security hole, as the files are no longer available.

“If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome,” Dragusin wrote.

Security experts have stressed time and time again that best practices call for storing salted cryptographic hashes of passwords, using an algorithm that hasn’t already been cracked. For a professional association which includes computer science professionals and publishes security publications, keeping passwords in plaintext, and then storing them in the same location as the server logs is a colossal, and baffling, mistake to make.

It’s not known at this time whether the file was accessed before Dragusin found it. If someone else got to the file first, those users are at risk for spear phishing attacks or other targeted campaigns. If the IEEE has access logs for its FTP server, the organizations would be able to determine the extent of the damage, Dragusin speculated.

Advertisement. Scroll to continue reading.

According to Dragusin’s Twitter and Google+ posts, IEEE has yet to notify users, but the organization had posted a note to its website Tuesday afternoon, acknowledging a “security incident”.

“We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected,” the IEEE wrote in the statement.

“It would be reasonable to assume, that an organization publishing leading security-focused publications, would value the privacy of its members, and be proactive in keeping their data secure,” Dragusin wrote.

Dragusin analyzed the raw data to figure out where the users were based, what email domains they were using, and common passwords. His analysis of common passwords was particularly disappointing. The top five most popular passwords in the IEEE file turned out to be “123456,” “ieee2012,” “12345678,” “123456789,” and “password. Considering many of IEEE members are security professionals and the organization has worked on various encryption and key management standards, the lack of password sophistication is worrisome.

There’s one positive thing to note, however, since it appears that a majority of the users are using unique passwords. It appears that the top five passwords are being used by only one percent of the affected users, and the top 18 passwords were used by less than two percent of users, according to Dragusin’s analysis. IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...