From Emails to Passwords: Sensitive Data Leak at NSC National Safety Council

Reading Time: ( Word Count: )

September 2, 2023

The National Safety Council (NSC), an esteemed non-profit entity working with a vast range of organizations, from top-tier enterprises to government agencies, had inadvertently left sensitive client data in openly accessible web directories.

This oversight came to light when a team at Cybernews stumbled upon it, estimating that the unprotected data had been there for roughly half a year.

Serving the US, the NSC offers training in both driving and workplace safety. According to the researchers, the NSC’s membership stands close to 55,000, of which 2,000 are organizations. This list encompasses tech giants like Siemens, Intel, HP, IBM, and AMD, automotive leaders like Ford, Toyota, and Tesla, and even various governmental entities such as the FBI, Pentagon, Department of Justice, and NASA.

Also Read: Recent Cyber Incident Hits Forever 21: What You Need to Know

Sensitive Data Leak at NSC National Safety Council

In essence, around 10,000 email and password combinations were discovered on this exposed database. The theory proposed by Cybernews is that these companies probably registered on the NSC platform to access training resources or engage in NSC events. Though there’s no direct evidence indicating data theft by any unauthorized entities, the potential for such breaches remains. This could pave the way for credential-based attacks, phishing ventures, and other cyber threats, leading to graver issues like data breaches or ransomware attacks.

In response to this revelation, NSC promptly rectified the vulnerability.

The researchers pointed out in their analysis, “Publicly exposing a developmental setting reflects a lapse in development protocols. Such setups should remain separate from the primary operational domain, shouldn’t house genuine user information, and most importantly, should remain off public access.”

Interestingly, the exposed data included user passwords. Although these were encrypted using the SHA-512 method (which is largely seen as secure) and salted, the issue lay in the fact that these salts, stored alongside the password encryptions, were merely base64 encoded. This means that any proficient hacker could easily decipher the salt’s original format. As per Cybernews, “An expert could potentially decipher a single password from the database in about 6 hours. While it’s not guaranteed that every password can be decrypted, a sizable fraction of them might be vulnerable.”

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...

Submit a Comment

Your email address will not be published. Required fields are marked *