cubalo

Yesterday, the Institute of Electrical and Electronics Engineers (IEEE) confirmed a breach resulting in the compromise of near 100,000 accounts.

The user IDs and passwords were obtained, according to the IEEE, by “inadvertent access to unencrypted log files.” Radu Dragusin, the man who discovered the breach, reports that “Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places.” Ironically, the IEEE is revered for its standards and education in computer science and related fields. However, an organization who has released 902 publications regarding security and privacy should practice at least basic access controls and cryptographic storage.

With the lessons learned following the breaches of Yahoo, LinkedIn, Sony, and eHarmony, security incidents involving plaintext passwords should be a thing of the past. Passwords should always be stored as salted hashes rather than plaintext so in the event of the account information being compromised, it would still be difficult to get the actual password itself and the blows from situations like this would be lessened drastically.

The IEEE has notified their users and requires authentication through security questions as well as a password change the next time the user wants to access their account.

More information and a great analysis of the breach can be found at http://ieeelog.com/