A programmer found nearly 100,000 unprotected usernames and passwords on the Institute of Electrical and Electronics Engineers' servers, according to his analysis released today. The IEEE is now working to clean up the mess.
The IEEE is a well-known organization for technologists and has over 400,000 members. On September 18, Romanian programmer Radu Dragusin discovered unencrypted IEEE login credentials left publicly available on its FTP server. He says he found "99,979 unique usernames" and passwords. The servers also showed all of the members' activities on the website and may have remained unprotected for at least a month.
Dragusin says he has no intention of releasing the data, though he suspects others already have their hands on it.
As Ars Technica points out, while this is an embarrassment for the IEEE, what might be more embarrassing are the kinds of passwords being used by the members. Among the 99,979 usernames and passwords he found, 271 people used the password "123456," followed by "ieee2012," "12345678," 123456789," and "password."
No, really.
In his analysis, Dragusin notes that a number of the users are from famous technology companies such as Apple, Samsung, Google, IBM, and even NASA.
He also obtained a copy of the notification letter the IEEE sent out to infected members. It says "this matter has been addressed and resolved," and assures users that no financial information was exposed. The organization also urged members to create a strong password, and included instructions on how to do so.
hat tip Ars Technica; images from Radu Dragusin