Security News > 2021 > January > Ethical Hackers Breach U.N., Access 100,000 Private Records
Security researchers successfully hacked the United Nations, accessing user credentials and personally identifiable information-including more than 100,000 private employee and project records-before informing the U.N. about the problem through the organization's vulnerability disclosure program.
Ethical hackers from the research group Sakura Samurai used a vulnerability in a GitHub directory that exposed WordPress DB and GitHub credentials, allowing access to numerous private records from the U.N.'s Environment Program.
Researchers were able to access a significant amount of sensitive U.N. information in their breach, including 102,000 travel records; more than 7,000 records of human resources nationality demographics; more than 1,000 generalized employee records; more than 4,000 project and funding-source records; and evaluation reports of 283 projects.
In addition to accessing records through the Git-related flaw, researchers "On the lesser side of severity" took over an SQL Database and a Survey Management program belonging to the International Labor Organization.
"In total, we found seven additional credential-pairs which could have resulted in unauthorized access of multiple databases," researchers wrote.
Last July, hackers breached the U.N. by exploiting a Microsoft SharePoint vulnerability in an apparent espionage operation, reportedly giving the attackers access to an estimated 400 GB of sensitive data.
News URL
https://threatpost.com/hackers-breach-un-access-records/162944/
Related news
- Fortinet confirms data breach after hacker claims to steal 440GB of files (source)
- Temu denies breach after hacker claims theft of 87 million data records (source)
- Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms (source)
- Dell investigates data breach claims after hacker leaks employee info (source)
- USDoD hacker behind National Public Data breach arrested in Brazil (source)
- Schneider Electric confirms dev platform breach after hacker steals data (source)
- Nokia investigates breach after hacker claims to steal source code (source)