A significant data breach has shaken the National Safety Council (NSC), an American non-profit organization specializing in workplace and driving safety training. In a disconcerting lapse of cybersecurity, the NSC’s digital platform suffered a vulnerability that led to the leak of nearly 10,000 emails and corresponding passwords belonging to their members.
This breach had far-reaching consequences, exposing around 2000 high-profile entities, including major corporations and governmental organizations.The NSC’s online resources, intended for its extensive membership of approximately 55,000 individuals across diverse businesses, agencies, and educational institutions, inadvertently exposed sensitive information for five months. The lapse was identified by the Cybernews research team, who uncovered public access to web directories containing thousands of compromised credentials.
Among those impacted were renowned companies like Shell, Intel, Boeing, and even governmental bodies like the Department of Justice and Pentagon.The leak not only compromised NSC’s security systems but also had potential repercussions for the companies associated with its services. The stolen credentials could have been exploited for credential stuffing attacks, where hackers attempt to infiltrate various corporate tools and systems. This breach highlighted the broader risks faced by organizations and individuals when sensitive information falls into the wrong hands.
After being alerted by Cybernews, the NSC promptly addressed the issue, rectifying the vulnerability and preventing further unauthorized access.The exposed credentials, hashed with the SHA-512 algorithm, revealed the precarious storage of password salts alongside the hashes, facilitating potential attackers in their password cracking efforts.
While not every password in the database might be cracked, a significant portion was at risk. This breach serves as a stark reminder of the importance of robust cybersecurity measures and practices, as it raises concerns about the potential misuse of the leaked data for phishing, cyberattacks, and other illicit activities that could target both individuals and the affected companies.