The usernames and plain-text passwords of around 10,000 members of the Institute of Electrical and Electronics Engineers were accessible through a public facing FTP site, it was revealed this week.
Romanian computer scientist Radu Dragusin discovered the data breach earlier this month, and informed to professional organisation earlier this week.
"Due to several undoubtedly grave mistakes, the ieee.org account username and plaintext password of around 100,000 IEEE members were publicly available on the IEEE FTP server for at least one month," Dragusin wrote online. "Furthermore, all the actions these users performed on the ieee.org website were also available."
The IEEE warned customers of the breach yesterday, and reset the passwords on every affected account.
"This matter has been addressed and resolved," chief marketing officer Patrick Mahoney wrote in a letter. "None of your financial information was made accessible in this situation. However, it was theoretically possible for an unauthorised third party, using your ID and password, to have accessed your IEEE account. Therefore, as a precautionary measure, IEEE has terminated access to your account using your current password."
According to Dragusin, one of the IEEE’s errors was to make the webserver logs – which record every time the server is accessed – of its FTP site publicly accessible.
This mistake could be attributed to error, Dragusin added, but the fact that passwords were stored in plain text "is much more troublesome".
"Keeping a salted cryptographic hash of the password is considered best practice, since it would mitigate exactly such an access permission mistake," he wrote. "Also, keeping passwords in logs is inherently insecure, especially plaintext passwords, since any employee with access to logs (for the purpose of analysis, monitoring or intrusion detection) could pose a threat to the privacy of users."
In a statement yesterday, IEEE said that it "takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused."
The incident is the latest to expose weak password security practices. In June, a hacker stole 6.5 million passwords from social network LinkedIn. The company was criticised for using insufficiently sophisticated encryption to secure the passwords.
In July, supermarket giant Tesco was criticised for its practice of sending customers their account passwords in plain text via email – suggesting that the company, and therefore anyone who comprimised its systems, could access those passwords.
"Any company that can email you your password is doing something wrong," said Graham Cluley, senior security consultant at Sophos, at the time.