The National Safety Council (NSC), a non-profit organization that services thousands of companies, including high-profile organizations and government institutions, kept sensitive customer data in web directories available for public access.
The flaw was uncovered by researchers at Cybernews, whose researchers said the database had been sitting unprotected for at least five months.
NSC operates in the US and provides workplace and driving safety training. The researchers claim the organization has almost 55,000 members, including 2,000 organizations. Among those organizations are Siemens, Intel, HP, IBM, AMD, Ford, Toyota, Tesla, and countless others. They serviced government organizations, too, including the FBI, the Pentagon, the Department of Justice, NASA, and many others.
Potential ransomware victims
In total, almost 10,000 emails and passwords were hosted in the database. Cybernews speculates the companies likely held accounts on the platform to access training materials or take part in different events the NSC organized.
While the report doesn’t specifically state the data was stolen by any malicious third party, the researchers do suggest the possibility. They argue that the credentials could have been used for credential-stuffing attacks, phishing, and more. These attacks would then lead to even more devastating scenarios, such as data theft, ransomware, and similar.
Since the discovery was made, the NSC fixed the issue, it was added.
“Having a development environment accessible to the public shows poor development practices,” the researchers said in their writeup. “Such environments should be hosted separately from the production environment’s domain and must refrain from hosting actual user data, and, of course, it should not be publicly accessible.”
Among the information being leaked were user passwords, which were hashed using SHA-512, an algorithm generally considered secure. The passwords were also salted, but since the salts were stored together with password hashes, and were only encoded with base64, retrieving the plaintext version of the salt would be “trivial” for any experienced hacker, Cybernews said.
“It might take as long as 6 hours to crack a single password found in the database,” the researchers concluded. “This doesn’t imply that every password within the found database could be cracked, yet it’s probable that a significant portion of them could be.”