From Emails to Passwords: Sensitive Data Leak at NSC National Safety Council

Reading Time: ( Word Count: )

September 2, 2023
Nextdoorsec-course


The National Safety Council (NSC), an esteemed non-profit entity working with a vast range of organizations, from top-tier enterprises to government agencies, had inadvertently left sensitive client data in openly accessible web directories.

This oversight came to light when a team at Cybernews stumbled upon it, estimating that the unprotected data had been there for roughly half a year.

Serving the US, the NSC offers training in both driving and workplace safety. According to the researchers, the NSC’s membership stands close to 55,000, of which 2,000 are organizations. This list encompasses tech giants like Siemens, Intel, HP, IBM, and AMD, automotive leaders like Ford, Toyota, and Tesla, and even various governmental entities such as the FBI, Pentagon, Department of Justice, and NASA.

Also Read: Recent Cyber Incident Hits Forever 21: What You Need to Know

Sensitive Data Leak at NSC National Safety Council

In essence, around 10,000 email and password combinations were discovered on this exposed database. The theory proposed by Cybernews is that these companies probably registered on the NSC platform to access training resources or engage in NSC events. Though there’s no direct evidence indicating data theft by any unauthorized entities, the potential for such breaches remains. This could pave the way for credential-based attacks, phishing ventures, and other cyber threats, leading to graver issues like data breaches or ransomware attacks.

In response to this revelation, NSC promptly rectified the vulnerability.

The researchers pointed out in their analysis, “Publicly exposing a developmental setting reflects a lapse in development protocols. Such setups should remain separate from the primary operational domain, shouldn’t house genuine user information, and most importantly, should remain off public access.”

Interestingly, the exposed data included user passwords. Although these were encrypted using the SHA-512 method (which is largely seen as secure) and salted, the issue lay in the fact that these salts, stored alongside the password encryptions, were merely base64 encoded. This means that any proficient hacker could easily decipher the salt’s original format. As per Cybernews, “An expert could potentially decipher a single password from the database in about 6 hours. While it’s not guaranteed that every password can be decrypted, a sizable fraction of them might be vulnerable.”

Saher

Saher

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Zero Tolerance: How to Stop Phishing Emails Once and For All?

Zero Tolerance: How to Stop Phishing Emails Once and For All?

In an age where email remains one of our primary modes of communication, the onslaught of spam emails and ...
Cisco Amplifies Cybersecurity Footprint with $28 Billion Splunk Acquisition

Cisco Amplifies Cybersecurity Footprint with $28 Billion Splunk Acquisition

On Thursday, Cisco made headlines by announcing its intent to buy Splunk, a renowned cybersecurity software ...
Revealing the Most Common Types of Phishing Attacks in 2023

Revealing the Most Common Types of Phishing Attacks in 2023

In the vast ocean of the internet, while most fish are friendly, there are some out to get you. They'll try to ...
GitHub Embraces Device-Linked Passkeys for a More Secure User Experience.

GitHub Embraces Device-Linked Passkeys for a More Secure User Experience.

GitHub has today announced the widespread availability of passkeys across its platform, offering an enhanced ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *