The National Safety Council (NSC), an esteemed non-profit entity working with a vast range of organizations, from top-tier enterprises to government agencies, had inadvertently left sensitive client data in openly accessible web directories.

This oversight came to light when a team at Cybernews stumbled upon it, estimating that the unprotected data had been there for roughly half a year.

Serving the US, the NSC offers training in both driving and workplace safety. According to the researchers, the NSC’s membership stands close to 55,000, of which 2,000 are organizations. This list encompasses tech giants like Siemens, Intel, HP, IBM, and AMD, automotive leaders like Ford, Toyota, and Tesla, and even various governmental entities such as the FBI, Pentagon, Department of Justice, and NASA.

Also Read: Recent Cyber Incident Hits Forever 21: What You Need to Know

In essence, around 10,000 email and password combinations were discovered on this exposed database. The theory proposed by Cybernews is that these companies probably registered on the NSC platform to access training resources or engage in NSC events. Though there’s no direct evidence indicating data theft by any unauthorized entities, the potential for such breaches remains. This could pave the way for credential-based attacks, phishing ventures, and other cyber threats, leading to graver issues like data breaches or ransomware attacks.

In response to this revelation, NSC promptly rectified the vulnerability.

The researchers pointed out in their analysis, “Publicly exposing a developmental setting reflects a lapse in development protocols. Such setups should remain separate from the primary operational domain, shouldn’t house genuine user information, and most importantly, should remain off public access.”

Interestingly, the exposed data included user passwords. Although these were encrypted using the SHA-512 method (which is largely seen as secure) and salted, the issue lay in the fact that these salts, stored alongside the password encryptions, were merely base64 encoded. This means that any proficient hacker could easily decipher the salt’s original format. As per Cybernews, “An expert could potentially decipher a single password from the database in about 6 hours. While it’s not guaranteed that every password can be decrypted, a sizable fraction of them might be vulnerable.”