The top workplace safety organization leaked user data from NASA, Tesla, DoJ and more
The National Safety Council (NSC), a nonprofit that serves thousands of businesses, including high-profile organizations and government agencies, kept sensitive customer data in web directories available for public access.
The error was discovered by researchers at Cyber newswhich the researchers said had had its database unprotected for at least five months.
NSC is active in the US and provides training in the field of workplace and driving safety. The researchers claim that the organization has nearly 55,000 members, including 2,000 organizations. These organizations include Siemens, Intel, HP, IBM, AMD, Ford, Toyota, Tesla, and countless others. They also provided services to government organizations, including the FBI, Pentagon, Justice Department, NASA, and many others.
Potential victims of ransomware
In total, nearly 10,000 emails and passwords were hosted in the database. Cybernews speculates that the companies likely had accounts on the platform to access training materials or participate in various events the NSC hosted.
While the report doesn’t specifically state that the data was stolen by a malicious third party, the researchers do suggest the possibility. They claim that the credentials could have been used for credential stuffing, phishing, and more attacks. These attacks would then lead to even more devastating scenarios, such as data theft, ransomware, and the like.
Since the discovery was made, the NSC has resolved and added to the issue.
“Having a development environment that is accessible to the public is bad development practice,” the researchers said in their article. “Such environments must be hosted separately from the production environment domain and must not host any actual user data, and of course must not be publicly accessible.”
The information leaked included user passwords, which were hashed using SHA-512, an algorithm generally considered secure. The passwords were also salted, but since the salts were stored with password hashes and encoded only with base64, retrieving the plain text version of the salt would be “trivial” for any experienced hacker, according to Cybernews.
“It can take up to six hours to crack a single password in the database,” the researchers concluded. “This does not mean that every password in the database found can be cracked, but it is likely that a significant portion of it can be cracked.”