The personal information of tens of thousands of Internet Society (ISOC) members has been exposed in a data security breach.
The international non-profit organization ISOC was founded in 1992 with the mission to ensure the development of an open Internet by improving and supporting the use of the Internet for individuals and organizations around the world.
Clario researchers came across the unsecured data on December 8, 2021 in an open, unprotected Microsoft Azure blob repository containing millions of files. The team then worked with independent cybersecurity researcher Bob Diachenko to report the incident.
The data exposed in the blob included the full names of ISOC members along with their residential addresses, email addresses, gender, login information and password hash. The information was stored in json files.
“The open, unprotected Microsoft Azure blob repository contained millions of files with personal and login information belonging to ISOC members and potentially putting their privacy at risk,” researchers noted in an incident report. published today.
They added, “Based on the size and nature of the exposed repository, we can assume that all member login and adjacent information has been open to the public internet for an indefinite period.
Researchers reported the incident to ISOC via email the day the leak was discovered. ISOC responded by launching an investigation into the leak and securing the data.
In a comment dated Dec. 15, ISOC attributed the security flaw to a misconfiguration on the part of its management system vendor.
“We have confirmed that the association management system we use has been incorrectly configured by MemberNova, which has made certain Internet Society member data publicly available,” the company said.
ISOC added that its investigation found “no instances of malicious access to member data as a result of this issue.”
The company said those affected by the incident were notified of the breach “before the holidays”.
Clario researchers said the breach could damage the company’s reputation and put ISOC members at risk of cyberattacks.
They noted: “As the organization works in the online world and is seen as an advocate of standards and best practices, it could be particularly embarrassing if this happens.”