Home Hacking News Elsevier Exposed User Credentials Publicly Through Misconfigured Server

Elsevier Exposed User Credentials Publicly Through Misconfigured Server

by Abeerah Hashim
Elsevier exposed user credentials

A popular publisher of scientific journals Elsevier has now joined the trail of firms that inadvertently breach users’ privacy. According to a recent report, a misconfigured server belonging to Elsevier exposed user credentials online for all.

Elsevier Exposed User Credentials

As reported by Motherboard, Elsevier’s unsecured server leaked users’ emails and passwords online. The exact number of users affected by this breach remains undetermined yet.

Allegedly, the Chief Security Officer at SpiderSilk, Mossab Hussein, first noticed the matter and informed Motherboard. Regarding the data exposed on the server, Motherboard stated,

“…it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials.”

To verify the flaw, Hussein reset his own password with a phrase supplied by Motherboard. Later, it appeared online on the exposed server in plain text thus confirming the problem.

According to Hussein, most of the exposed credentials include .edu accounts. This shows that the data belonged to teachers or students. He fears that the victims might be using the same passwords on other accounts as well.

For now, the exact number of affected accounts and the time period during which the data remained exposed is not known.

Exposed Data Now Taken Down

After Motherboard and the researcher reported the matter to the publishers, they took down the exposed data. However when questioned as to why the server belonging to Elsevier exposed user credentials, they said in their statement,

“We are still investigating how this happened, but it appears that a server was misconfigured due to human error.”

Nonetheless, they assure the integrity of the data and pledge to take precautionary measures for users’ security.

“We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts.”

Take your time to comment on this article.

You may also like