Cybercriminals use stolen data to harass healthcare organisations during the coronavirus pandemic
According to media reports, security experts have discovered nearly 25,000 email addresses and passwords posted online by right-wing activists. The stolen data belongs to staff at a number of healthcare agencies, including the World Health Organisation, the Gates Foundation and the Centre for Disease Control and Prevention.
The data leak is said to be an attempt by the far-right to weaponise the COVID-19 pandemic. The information dump was discovered by the SITE Intelligence Group, an organisation which tracks the online activity of white-supremacist and jihadist groups.
The information was found on infamous message board 4chan and Twitter, as well as other platforms. Twitter confirmed that it has been actively removing lists of leaked email addresses and passwords.
Some of the credentials are from old hack attacks
It appears that the data is being used by far-right extremists as part of a harassment campaign - while they also continue to share coronavirus conspiracy theories and fake news.
According to reports, the data includes:
- 9,938 emails and passwords came from the National Institute of Health (NIH)
- 6,857 from the Centre for Disease Control and Prevention (CDC)
- 5,120 from the World Bank
- 2,732 from the World Health Organization (WHO)
- 269 from the Gates Foundation
- 21 from the Wuhan Institute of Virology
The BBC has discovered that some of the credentials stolen are from old hack attacks. And, believing the WHO credentials to be genuine but "from an earlier attack", security researcher Robert Potter said that: "Healthcare agencies are traditionally quite bad at cyber-security".
Stolen data is being used to harm and create havoc
Commenting on the data leak, Kingsley Hayes, our MD and data security expert said:
"This leak highlights the value of our personal information and the need for stringent security processes. After a data breach, one argument we often hear from breached companies that have had details stolen from them is that it's not really a big deal. But while there is a misconception that some forms of personal information are not as valuable others this isn't necessarily the case.
"All too often, cyber-criminals use the email addresses accessed in a data breach to extract additional information from victims, including financial data. And, this latest violation highlights how criminals can use stolen data for other, nefarious purposes.
"As it stands, the risk to the public by publishing these email addresses and passwords online is hard to determine. It is thought that, even if genuine, many of the details have since been changed and I would hope that two-factor authentication measures would be in placed to provide an additional level of security.
"Nevertheless, there are bound to be concerns that private information could be at risk. And, for organisations and individuals currently trying to navigate the global health crisis, this is an additional and unnecessary worry that they could do without".