Top workplace safety organization leaked user details from NASA, Tesla, DoJ, and more
Sensitive info on thousands of firms taken
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The National Safety Council (NSC), a non-profit organization that services thousands of companies, including high-profile organizations and government institutions, kept sensitive customer data in web directories available for public access.
The flaw was uncovered by researchers atCybernews, whose researchers said the database had been sitting unprotected for at least five months.
NSC operates in the US and provides workplace and driving safety training. The researchers claim the organization has almost 55,000 members, including 2,000 organizations. Among those organizations are Siemens,Intel,HP, IBM,AMD, Ford, Toyota, Tesla, and countless others. They serviced government organizations, too, including the FBI, the Pentagon, the Department of Justice, NASA, and many others.
Potential ransomware victims
In total, almost 10,000 emails and passwords were hosted in the database. Cybernews speculates the companies likely held accounts on the platform to access training materials or take part in different events the NSC organized.
While the report doesn’t specifically state the data was stolen by any malicious third party, the researchers do suggest the possibility. They argue that the credentials could have been used for credential-stuffing attacks, phishing, and more. These attacks would then lead to even more devastating scenarios, such as data theft, ransomware, and similar.
Top password manager denies its entire database can be stolen>This vicious new malware version is now targeting password managers>These are the best firewalls around
Since the discovery was made, the NSC fixed the issue, it was added.
“Having a development environment accessible to the public shows poor development practices,” the researchers said in their writeup. “Such environments should be hosted separately from the production environment’s domain and must refrain from hosting actual user data, and, of course, it should not be publicly accessible.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Among the information being leaked were user passwords, which were hashed using SHA-512, an algorithm generally consideredsecure. The passwords were also salted, but since the salts were stored together with password hashes, and were only encoded with base64, retrieving the plaintext version of the salt would be “trivial” for any experienced hacker, Cybernews said.
“It might take as long as 6 hours to crack a single password found in the database,” the researchers concluded. “This doesn’t imply that every password within the found database could be cracked, yet it’s probable that a significant portion of them could be.”
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Quordle today – hints and answers for Friday, November 8 (game #1019)
