Elsevier, publisher of scientific journals such as The Lancet, has left its users’ passwords and email addresses lying around online.
What Motherboard described as a “rolling list of passwords,” along with password reset links produced when a user requested a change to their login credentials was discovered by cybersecurity company SpiderSilk. It’s unclear how many records were exposed and for how long.
Mossab Hussein, SpiderSilk chief security officer, said that most of the exposed accounts are related to educational institutions, and hence belong to either students or teachers.
To paraphrase a Twitter wit… What could go wrong besides hackers making sure all their journal submissions get accepted?
For one thing, those email addresses/passwords could be used on other, sensitive sites, as Hussein pointed out. With the depressing ubiquity of password reuse, some of them undoubtedly are sprinkled around elsewhere online.
According to Motherboard’s Joseph Cox, the credentials were displayed on Kibana, a popular tool for visualizing and sorting data.
Motherboard verified that the credentials were valid by asking Hussein to reset his own password to a specific phrase fed to him by Motherboard. Cox writes:
A few minutes later, the plain text password appeared on the exposed server.
Elsevier secured the server after getting a heads-up from Motherboard and details from Hussein. An Elsevier spokesperson sent Motherboard a statement in which the publisher blamed a misconfigured server:
The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts.
As others have pointed out, saying that the passwords are no longer exposed doesn’t explain why they were stored in plain text to begin with. Hopefully, Elsevier will pay attention to that, as well as to the misconfigured server that left them hanging on the line like a discarded beach towel.
If you’re an Elsevier user
Reset your passwords, and if you know you’ve used the same password on other website – change those too!
Also if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too.