Elsevier exposes users’ emails and passwords online

Posted by & filed under Ειδοποιήσεις.

Elsevier, publisher of scientific journals such as The Lancet, has left its users’ passwords and email addresses lying around online.

What Motherboard described as a “rolling list of passwords,” along with password reset links produced when a user requested a change to their login credentials was discovered by cybersecurity company SpiderSilk. It’s unclear how many records were exposed and for how long.

Mossab Hussein, SpiderSilk chief security officer, said that most of the exposed accounts are related to educational institutions, and hence belong to either students or teachers.

To paraphrase a Twitter wit… What could go wrong besides hackers making sure all their journal submissions get accepted?

For one thing, those email addresses/passwords could be used on other, sensitive sites, as Hussein pointed out. With the depressing ubiquity of password reuse, some of them undoubtedly are sprinkled around elsewhere online.

According to Motherboard’s Joseph Cox, the credentials were displayed on Kibana, a popular tool for visualizing and sorting data.

 

Motherboard verified that the credentials were valid by asking Hussein to reset his own password to a specific phrase fed to him by Motherboard. Cox writes:

A few minutes later, the plain text password appeared on the exposed server.

Elsevier secured the server after getting a heads-up from Motherboard and details from Hussein. An Elsevier spokesperson sent Motherboard a statement in which the publisher blamed a misconfigured server:

The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts.

As others have pointed out, saying that the passwords are no longer exposed doesn’t explain why they were stored in plain text to begin with. Hopefully, Elsevier will pay attention to that, as well as to the misconfigured server that left them hanging on the line like a discarded beach towel.

 

If you’re an Elsevier user

Reset your passwords, and if you know you’ve used the same password on other website – change those too!

Also if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too.

 

The information contained in this website is for general information purposes only. The information is gathered from Naked Security while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.