NIH, CDC, World Bank Among the Other Organizations Apparently Affected
About 25,000 email addresses and passwords that are apparently for staff at the World Health Organization, the Gates Foundation, the U.S. National Institutes of Health and other organizations have been dumped online, according to the Washington Post.
Credentials that appear to be for the U.S. Centers for Disease Control and Prevention, the World Bank and the Wuhan Institute of Virology in China were also dumped, the Post reports. The list was first spotted online by the SITE Intelligence Group, which says it tracks the activities of terrorist and extremists. The organization then shared the information with the Post.
See Also: Beware the Other Virus
This list of credentials, which was circulated online starting earlier this week, is being used by extremists to hack into the accounts and harass those working at the organizations, says Rita Katz, SITE’s executive director. The organiztion has been tracking the activities of these groups in chatrooms and online venues, she told the Post.
It’s not clear where the list came from, how it was compiled, or who posted it online. But Vice reports that it was able to verify that some of the email addresses and passwords worked. The credentials could have been obtained via previous data breaches or leaks, according to Vice.
Katz told the Post that some far-right groups have been targeting organizations working on a vaccine and other healthcare initiatives related to the COVID-19.
1) BREAKING: Prominent Neo-Nazis group disseminating allegedly “hacked” emails from @gatesfoundation & @WHO, two partner orgs at front of #coronavirus fight. Data posted first to chan board & pasting site. @siteintelgroup/@SITE_CYBER currently investigating. [THREAD] pic.twitter.com/W13bKLC01u
— Rita Katz (@Rita_Katz) April 21, 2020
The list of email addresses and passwords appears to have been first posted on 4chan, an anonymous online forum that is popular with some far-right groups. From there, the list moved to text-storing site Pastebin as well as Twitter and a far-right channel on the messaging app Telegram, according to the Post.
Only Some Credential Valid
In a statement provided to Information Security Media Group, the World Health Organization says that of the approximately 2,700 WHO email addresses being circulated online, 457 were valid and active. “As a precaution, passwords have now been reset for the 457 users whose email addresses were exposed,” according to the statement.
Robert Potter, a cybersecurity researcher who is CEO of the Australian company Internet 2.0, wrote on Twitter that he was also able to confirm the authenticity of some of the WHO email addresses, and that hackers appeared to have dumped the credentials to encourage others to conduct a larger breach of the organization.
The attackers dumped the passwords to encourage a breach not because they themselves caused one. This is the cyber equivalent of chumming the water.
— Robert Potter (@rpotter_9) April 22, 2020
A Gates Foundation spokesperson tells ISMG: “We are monitoring the situation in line with our data security practices. We don’t currently have an indication of a data breach at the foundation.”
A spokesperson for the National Institutes of Health declined to comment on the report. The CDC and World Bank could not be immediately reached for comment.
Update (April 23, 2020): Cybersecurity reporters Nicole Perlroth of the New York Times, and Steve Ragan, said they found that at least a significant number of the dumped credentials are old, and harvested from previous data breaches.
For those asking how you date/vet dumps: Most time consuming is matching dumped credentials with the dates orgs put password requirements in place, which dated them back years. Also @SteveD3 and I ran them through haveibeenpwned which showed signif. overlap with older breaches. https://t.co/2FwyhCcQWN
— Nicole Perlroth (@nicoleperlroth) April 22, 2020