The risk of new intrusions from the publication of email addresses and passwords is hard to measure because government and business organizations often use multi-factor authentication, which requires a temporary code or a physical token to access a computer system — even when an attacker has a valid password. U.S. government agencies use multi-factor authentication widely, though not universally, with the most sensitive computer systems most likely to have this extra layer of protection against intruders, say people familiar with federal information technology guidelines.
The lists of user credentials, whose origins are unclear, appear to have first been posted to Pastebin, a text storage site. A link to that material was then posted to 4chan, a message board notorious for its hateful and extreme political commentary, and later to Twitter and far-right extremist channels on Telegram, a messaging app.
“Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues,” said Rita Katz, SITE’s executive director. “Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the covid-19 pandemic.”
The report by SITE, based in Bethesda, Md., said the largest group of alleged emails and passwords was from the NIH, with 9,938 found on lists posted online. The Centers for Disease Control and Prevention had the second-highest number, with 6,857. The World Bank had 5,120. The list of WHO addresses and passwords totaled 2,732, according to SITE’s report.
Smaller numbers of entries were listed for the Gates Foundation, a private philanthropic group whose co-founder, Microsoft co-founder Bill Gates, last week announced $150 million in new funding to combat the pandemic. Also targeted was the Wuhan Institute of Virology, a Chinese research center in the city where the pandemic began that has been accused of a role in triggering the outbreak.
The NIH issued a statement Wednesday saying, “We are always working to ensure optimal cyber safety and security for NIH and take appropriate action to address threats or concerns. We do not comment on specific cybersecurity matters, as such information could be used to undertake malicious activities.”
NIH and other affected institutions declined to say whether they use multi-factor authentication, but current and former employees said that such protections had become routine within federal agencies.
The World Bank declined to comment. The Gates Foundation said in a statement, “We are monitoring the situation in line with our data security practices. We don’t currently have an indication of a data breach at the foundation.”
WHO confirmed the incident in a statement Wednesday that cited a higher number of exposed credentials, 6,835, than had been reported by SITE. But WHO said only 457 of those were active and valid, and none of those were compromised. “As a precaution, passwords have now been reset for the 457 users whose email addresses were exposed,” the WHO statement said.
The CDC said in a statement on Friday, “CDC is committed to strong information safety programs and appropriately monitors all systems. For security reasons, we do not comment on specific cybersecurity matters.”
The FBI declined to comment.
Twitter spokeswoman Katie Rosborough said, “We’re aware of this account activity and are taking widespread enforcement action under our rules, specifically our policy on private information. We’re also taking bulk removal action on the URL that links to the site in question.”
Potter, chief executive of Australian company Internet 2.0, said he was able to gain access into the WHO computer systems using email addresses and passwords posted on the Internet. The WHO has come under heavy criticism, including from President Trump, who suspended funding to it, for its response to the novel coronavirus and has been accused of being too deferential to China.
“Their password security is appalling,” Potter said of the WHO. “Forty-eight people have ‘password’ as their password.” Others, he said, had used their own first names or “changeme.”
Potter said the alleged email addresses and passwords may have been purchased from vendors on the dark Web, a portion of the Internet that is not indexed by most search engines and where hacked information often is posted for sale. He said the WHO credentials appear to have come from a hack in 2016.
Katz, of SITE, said that while material from old hacks does appear on the dark Web occasionally, “we have not yet found any rock-solid proof of that for this specific case.”
References to the hacked information already are being deployed online to fuel disinformation, including linking HIV, the virus that causes AIDS, to the coronavirus.
Among the most prominent Telegram venues to share the information was the neo-Nazi channel “Terrorwave Refined,” a prominent recruiting and support channel for neo-Nazi groups such as Azov Battalion, the Base and Nordic Resistance Movement. In the past four months, the number of users subscribed to Terrorwave Refined has increased by 30 percent, with the channel now hosting over 5,300 followers.
Terrorwave Refined shared tweets and a thread on 9chan, another message board popular with extremists, containing the addresses and passwords. Terrorwave Refined posted a meme that implied that information seized through the email addresses and passwords “confirmed that SARS-Co-V-2 was in fact artificially spliced with HIV,” referring to the scientific name for the coronavirus.
A Twitter post with links to the data said, “Anons know what to do...make this go viral” — a likely reference to anonymous followers.
Matt Zapotosky contributed to this report.