Around 25,000 email addresses and corresponding passwords belonging to the World Health Organization (WHO), the Gates Foundation, and a number of others organizations were leaked online. The source of the leak remains a mystery.
Check now if your personal info has been stolen or made public on the internet,
with Bitdefender’s Digital Identity Protection tool.
According to a Washington Post report, the discovery was made by the SITE Intelligence Group, a non-profit organization that keeps a close eye on the online activity of white supremacists and jihadist organizations. As soon as the data appeared online, it was put to use by various far-right groups.
It’s still unclear where the data leak comes from as none of the affected organizations acknowledged suffering a data breach. The initial data was posted on 4chan, via Pastebin, then spread on other online forums.
“Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues,” said Rita Katz, SITE’s executive director. “Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the covid-19 pandemic.”
The credentials come from a wide variety of sources, including the World Bank, the National Institutes of Health, The Centers for Disease Control and Prevention, and others, all implicated in efforts to curb the spread of the COVID-19 epidemic.
The online organization that confirmed the incident, alongside the Gates Foundation, was the World Health Organization, which said that they had 6,835 exposed credentials, but only 457 were active and still valid. There was no indication of an exploit, and many of these organizations have multiple layers of protection, including multi-factor authentication. Still, the passwords of all affected WHO personnel were reset as a precaution.
Interestingly, just a few weeks ago, a phishing campaign designed to target WHO employees specifically was unveiled. The authorities were aware of the attempts and took the appropriate actions almost immediately, but there was a clear interest in obtaining those credentials.