Elsevier Exposed User Credentials Publicly Through Misconfigured Server

  • 217
  •  
  •  
  • 2
  •  
  •  
  •  
    219
    Shares

A popular publisher of scientific journals Elsevier has now joined the trail of firms that inadvertently breach users’ privacy. According to a recent report, a misconfigured server belonging to Elsevier exposed user credentials online for all.

Elsevier Exposed User Credentials

As reported by Motherboard, Elsevier’s unsecured server leaked users’ emails and passwords online. The exact number of users affected by this breach remains undetermined yet.

Allegedly, the Chief Security Officer at SpiderSilk, Mossab Hussein, first noticed the matter and informed Motherboard. Regarding the data exposed on the server, Motherboard stated,

“…it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials.”

To verify the flaw, Hussein reset his own password with a phrase supplied by Motherboard. Later, it appeared online on the exposed server in plain text thus confirming the problem.

According to Hussein, most of the exposed credentials include .edu accounts. This shows that the data belonged to teachers or students. He fears that the victims might be using the same passwords on other accounts as well.

For now, the exact number of affected accounts and the time period during which the data remained exposed is not known.

Exposed Data Now Taken Down

After Motherboard and the researcher reported the matter to the publishers, they took down the exposed data. However when questioned as to why the server belonging to Elsevier exposed user credentials, they said in their statement,

“We are still investigating how this happened, but it appears that a server was misconfigured due to human error.”

Nonetheless, they assure the integrity of the data and pledge to take precautionary measures for users’ security.

“We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts.”

Take your time to comment on this article.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!