A popular publisher of scientific journals Elsevier has now joined the trail of firms that inadvertently breach users’ privacy. According to a recent report, a misconfigured server belonging to Elsevier exposed user credentials online for all.
Elsevier Exposed User Credentials
As reported by Motherboard, Elsevier’s unsecured server leaked users’ emails and passwords online. The exact number of users affected by this breach remains undetermined yet.
Allegedly, the Chief Security Officer at SpiderSilk, Mossab Hussein, first noticed the matter and informed Motherboard. Regarding the data exposed on the server, Motherboard stated,
“…it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials.”
To verify the flaw, Hussein reset his own password with a phrase supplied by Motherboard. Later, it appeared online on the exposed server in plain text thus confirming the problem.
According to Hussein, most of the exposed credentials include .edu accounts. This shows that the data belonged to teachers or students. He fears that the victims might be using the same passwords on other accounts as well.
For now, the exact number of affected accounts and the time period during which the data remained exposed is not known.
Exposed Data Now Taken Down
After Motherboard and the researcher reported the matter to the publishers, they took down the exposed data. However when questioned as to why the server belonging to Elsevier exposed user credentials, they said in their statement,
“We are still investigating how this happened, but it appears that a server was misconfigured due to human error.”
Nonetheless, they assure the integrity of the data and pledge to take precautionary measures for users’ security.
“We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts.”
Take your time to comment on this article.
Latest posts by Abeerah Hashim (see all)
- Microsoft December Patch Tuesday Addressed Zero-Day Under Active Exploit - December 13, 2019
- Microsoft Phishing Attack Bypasses Security By Creating Local Login Form - December 9, 2019
- The Spotify Phishing Attack That Tricks Users Through Fake Failed Payment Notices - December 9, 2019