Computer Security: in the name of CERN

This summer, the American/Canadian dating website Ashley Madison was successfully compromised by a group of hackers (see here) who subsequently published tons of confidential information: addresses, dates of birth, e-mail addresses, ethnicities, genders, names, passwords, payment histories, phone numbers, security questions, sexual preferences, usernames and website activity.

 

Initially, these attackers blackmailed Ashley Madison and requested that the service be shut down. Later, however, they just made their stolen data public on the Internet. More than 30 million unique e-mail addresses – a hallelujah for miscreants.

What can they do with this data? One possibility is blackmailing the people whose e-mail addresses were exposed by threatening to tell their spouses (“Pay me X bitcoins or I will tell your spouse that you are looking for a date!”). Another is targeting those people who have registered with their company e-mail address, e.g. the many e-mail addresses linked to governmental organisations (“Hand over document X, give me access to Y, or I will tell Z that you are looking for a date!”). Interestingly, that list also included the e-mail addresses of six of our colleagues, three of which were still valid. Radio Télévision Suisse also reported (in French) on the Ashley Madison story (see especially at 1'19").

And this wasn’t the first time something like this has happened! Adobe had data for 153 million accounts stolen, including encrypted passwords (which were quickly decrypted). Four million records from Adult Friend Finder were leaked after an attack in May 2015. The list of customers of Domino’s Pizza in France and Belgium was released in 2014 after a failed blackmail attempt. The Forbes news network fell to attackers in 2014, with more than one million user account details leaked. YouPorn also had 26,000 e-mail addresses plus passwords stolen.

And neither was this the first time that we’ve found CERN e-mail addresses in those compromised lists*. We have to wonder why people sign up with their CERN e-mail address to personal services not at all related to CERN’s core business… While CERN tolerates the private usage of its computing resources, this is overstretching our tolerance. Thus, if you happen to register with websites and web services that are not related to your CERN work, please use a private e-mail address from your favourite provider (e.g. Gmail, Yahoo, etc.)!

*If you want to figure out whether your (private) e-mail address(es) have been compromised, we recommend to you this trustworthy website: https://haveibeenpwned.com.


For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report


Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team