Security News > 2021 > January > Ethical Hackers Breach U.N., Access 100,000 Private Records
Security researchers successfully hacked the United Nations, accessing user credentials and personally identifiable information-including more than 100,000 private employee and project records-before informing the U.N. about the problem through the organization's vulnerability disclosure program.
Ethical hackers from the research group Sakura Samurai used a vulnerability in a GitHub directory that exposed WordPress DB and GitHub credentials, allowing access to numerous private records from the U.N.'s Environment Program.
Researchers were able to access a significant amount of sensitive U.N. information in their breach, including 102,000 travel records; more than 7,000 records of human resources nationality demographics; more than 1,000 generalized employee records; more than 4,000 project and funding-source records; and evaluation reports of 283 projects.
In addition to accessing records through the Git-related flaw, researchers "On the lesser side of severity" took over an SQL Database and a Survey Management program belonging to the International Labor Organization.
"In total, we found seven additional credential-pairs which could have resulted in unauthorized access of multiple databases," researchers wrote.
Last July, hackers breached the U.N. by exploiting a Microsoft SharePoint vulnerability in an apparent espionage operation, reportedly giving the attackers access to an estimated 400 GB of sensitive data.
News URL
https://threatpost.com/hackers-breach-un-access-records/162944/
Related news
- HPE investigates breach as hacker claims to steal source code (source)
- CISA: Hackers still exploiting older Ivanti bugs to breach networks (source)
- Hackers exploiting flaws in SimpleHelp RMM to breach networks (source)
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Chinese hackers breach more US telecoms via unpatched Cisco routers (source)