When academics and students are writing papers, research is required. At times this research can be massive, depending on the subject. The more technical the more references may be used. These act as support for the researcher’s thoughts, ideas, applications, and work in general. For these references to be useful, they have to be from peer reviewed journals. These peer reviewed works indicate the work is not a sole person’s opinion, but is accepted by the researcher’s peers. These journals provide the resource which has been analyzed and reviewed by other professions. This removes the opportunity for biased research and research based on faulty methods. These articles are searchable through various sources. One of these respected tools used for the search is Elsevier.
As this service has been in use for an extended period of time, there should not have been a problem. Unfortunately, due to human error or other problems, one of their servers was left open to the public to peruse through. This server happened to hold the user email addresses and passwords. Yes, this is as bad as it sounds. The users included anyone having access, including those from universities and other educational institutions across the globe. Elsevier was not aware of how long this condition was in effect. They also did not know how many users or accounts were impacted. These aspects are odd, as the servers were under their control and someone should be able to figure out through a simple review of these numbers.
The problem at hand is with credential stuffing. The affected user may use the same email account and password for other services from other providers (e.g. same email and/or password for Panera Bread, Amazon, the interface to your vehicle). This could prove to make someone’s day very interesting.
Once Elsevier was notified of this, as they did not discover the issue, the organization did correct the issue with the configuration. They are investigating what occurred for this to vulnerable. This does however simply appear to be human error. They did not believe the server or any data had been inappropriately used. The organization did notify the users and reset their accounts.
This shows the importance, again of proper configurations. Without this in place, the servers are open to anyone, which is not a good thing.
Beau HD. (2019, March 18). Education and science giant Elsevier left users’ passwords exposed online. Retrieved from https://it.slashdot.org/story/19/03/18/2052211/education-and-science-giant-elsevier-left-users-passwords-exposed-online
Brown University. (n.d.). Password leak at Elsevier. Retrieved from https://it.brown.edu/alerts/read/password-leak-elsevier
Cox, J. (2019, March 18). Education and science giant Elsevier left users’ passwords exposed online. Retrieved from https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online
Drexel Library. (2019, March 21). Notice: Elsevier usernames & passwords accidentally exposed. Retrieved from https://www.library.drexel.edu/news-and-events/news/libraries-news/2019/March/Elsevier_Usernames/
Hashim, A. (2019, March 25). Elsevier exposed user credentials publicly through misconfigured server. Retrieved from https://latesthackingnews.com/2019/03/25/elsevier-exposed-user-credentials-publicly-through-misconfigured-server/
Stalfort, H. (2019, March 29). Notice: Elsevier data leak-action required. Retrieved from https://blogs.library.jhu.edu/2019/03/notice-elsevier-data-leak-action-required/
Vaas, L. (2019, March 20). Elsevier exposes users’ emails and passwords online. Retrieved from https://nakedsecurity.sophos.com/2019/03/20/elsevier-exposes-users-emails-and-passwords-online/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!