The CDC, Gates Foundation, National Institute of Health, World Bank, Wuhan Institute of Virology, and the World Health Organisation have all been hacked. Thousands of emails, passwords, and documents have been leaked online.
They were initially posted to 4chan, according to a report from Site Intelligence Group, an organization that monitors right-wing extremism.
Some of the credentials are reported to be from old hack attacks.
Site Intelligence Group did not say who posted them, or if they were authentic.
Later, the list was also posted to Pastebin, which is often used to reveal hacked information, and Twitter.
In a tweet, Site’s director Rita Katz alleged the list was being used by far-right extremists as part of a “harassment campaign.”
She also gave details of the research, which indicated that:
- 9,938 emails and passwords came from the National Institute of Health (NIH)
- 6,857 from the Centers for Disease Control and Prevention (CDC)
- 5,120 from the World Bank
- 2,732 from the World Health Organization (WHO)
- 269 from the Gates Foundation
- 21 from the Wuhan Institute of Virology
1) BREAKING: Prominent Neo-Nazis group disseminating allegedly “hacked” emails from @gatesfoundation & @WHO, two partner orgs at front of #coronavirus fight. Data posted first to chan board & pasting site. @siteintelgroup/@SITE_CYBER currently investigating. [THREAD] pic.twitter.com/W13bKLC01u
— Rita Katz (@Rita_Katz) April 21, 2020
The NIH told the BBC it was investigating the leak, but none of the other organisation have responded to requests for comment.
The Gates Foundation told the Washington Post that it was investigating but had no evidence of a data breach.
Security researcher Robert Potter tweeted that he believed the leaked WHO credentials were genuine but “from an earlier attack”.
“Healthcare agencies are traditionally quite bad at cyber-security,” he wrote.
The BBC reports that the World Bank credentials are also probably from an old attack
Twitter spokeswoman Katie Rosborough said in response to links to the dump: “We’re aware of this account activity and are taking widespread enforcement action under our rules, specifically our policy on private information. We’re also taking bulk removal action on the URL that links to the site in question.”
An Australian cyber-security expert, Robert Potter, said he was able to verify that the WHO email addresses and passwords were real.
Potter, chief executive of Australian company Internet 2.0, said he was able to gain access into WHO computer systems using email addresses and passwords posted on the Internet. The WHO has come under heavy criticism, including from President Donald Trump, who suspended funding to it because of its response to the coronavirus and for allegedly being too deferential to China.
“Their password security is appalling,” Potter said of the WHO. “Forty-eight people have ‘password’ as their password.” Others, he said, had used their own first names or “changeme.”
Potter said the alleged email addresses and passwords may have been purchased from vendors on the dark web, a portion of the Internet that is not indexed by most search engines and where hacked information often is posted for sale. He said the WHO credentials appear to have come from a hack in 2016.