Passwords for WHO, CDC, Gates Foundation employees reportedly spread online
WHO says the data wasn't recent, and only affected only one older system.
Email addresses and passwords for almost 25,000 employees at high-profile health organizations fighting the novel coronavirus pandemic were dumped online and spread via Twitter, according to a report published by The Washington Post on Wednesday. The World Health Organization, the Centers for Disease Control and Prevention, the Bill & Melinda Gates Foundation and the National Institutes of Health were among the groups reportedly affected by the exposed data, according the paper.
SITE Intelligence Group, which reports on the activities of extremist groups from all over the world, found the data and reported its spread, according to the paper. It's unclear whether the data came from breaches of systems belonging to the affected groups or from earlier data breaches of other systems. An Australian security researcher told the Post that the WHO passwords worked to log into employees' emails. Email and password combinations for people at the Wuhan Institute of Virology, a facility near the Chinese city where the disease was discovered, also circulated online.
The spread of the information comes as the world battles COVID-19, a potentially deadly respiratory disease caused by the novel coronavirus. More than 2.6 million cases of the disease have been confirmed around the world, killing more more than 182,000 people, according to Johns Hopkins University.
The WHO said on Thursday that the impact of the data exposure was limited. The data wasn't recent and only impacted one older system, the organization said in a press release. The WHO said it's seen five times as many hacking attempts directed at its staff as last year, as well as high numbers of scam emails aimed at the public and purporting to come from the organization.
"Ensuring the security of health information for Member States and the privacy of users interacting with us is a priority for WHO at all times, but also particularly during the COVID-19 pandemic," said Bernardo Mariano, the agency's chief information officer, in a statement. "We are all in this fight together."
The CDC and the World Bank, which was also reportedly affected, didn't respond to requests for comment. The NIH declined to comment specifically on the incident, but said, "We are always working to ensure optimal cyber safety and security for NIH and take appropriate action to address threats or concerns."
The Gates Foundation said it is monitoring the situation. "We don't currently have an indication of a data breach at the foundation," the organization said in a statement. The Wuhan Institute of Virology didn't respond to a request for comment.
CNET found archived versions of some of the data. According to the Post, a neo-Nazi group has been sharing the information on Twitter and encouraging people to use the data to harass employees of the affected organizations. Twitter said it's doing bulk takedowns of URLs that attempt to spread the data.