Passwords for WHO, CDC, Gates Foundation employees reportedly spread online

WHO says the data wasn't recent, and only affected only one older system.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

Nearly 25,000 email addresses and passwords for employees of major public health organizations were dumped online, according to The Washington Post.

Angela Lang/CNET

Email addresses and passwords for almost 25,000 employees at high-profile health organizations fighting the novel coronavirus pandemic were dumped online and spread via Twitter, according to a report published by The Washington Post on Wednesday. The World Health Organization, the Centers for Disease Control and Prevention, the Bill & Melinda Gates Foundation and the National Institutes of Health were among the groups reportedly affected by the exposed data, according the paper.

SITE Intelligence Group, which reports on the activities of extremist groups from all over the world, found the data and reported its spread, according to the paper. It's unclear whether the data came from breaches of systems belonging to the affected groups or from earlier data breaches of other systems. An Australian security researcher told the Post that the WHO passwords worked to log into employees' emails. Email and password combinations for people at the Wuhan Institute of Virology, a facility near the Chinese city where the disease was discovered, also circulated online. 

The spread of the information comes as the world battles COVID-19, a potentially deadly respiratory disease caused by the novel coronavirus. More than 2.6 million cases of the disease have been confirmed around the world, killing more more than 182,000 people, according to Johns Hopkins University.

The WHO said on Thursday that the impact of the data exposure was limited. The data wasn't recent and only impacted one older system, the organization said in a press release. The WHO said it's seen five times as many hacking attempts directed at its staff as last year, as well as high numbers of scam emails aimed at the public and purporting to come from the organization.

"Ensuring the security of health information for Member States and the privacy of users interacting with us is a priority for WHO at all times, but also particularly during the COVID-19 pandemic," said Bernardo Mariano, the agency's chief information officer, in a statement. "We are all in this fight together."

The CDC and the World Bank, which was also reportedly affected, didn't respond to requests for comment. The NIH declined to comment specifically on the incident, but said, "We are always working to ensure optimal cyber safety and security for NIH and take appropriate action to address threats or concerns."

The Gates Foundation said it is monitoring the situation. "We don't currently have an indication of a data breach at the foundation," the organization said in a statement. The Wuhan Institute of Virology didn't respond to a request for comment.

CNET found archived versions of some of the data. According to the Post, a neo-Nazi group has been sharing the information on Twitter and encouraging people to use the data to harass employees of the affected organizations. Twitter said it's doing bulk takedowns of URLs that attempt to spread the data.

Watch this: Here's how scammers are using the coronavirus to cash in

Fighting coronavirus: COVID-19 tests, vaccine research, masks, ventilators and more

See all photos