12 January 2021

United Nations data breach exposed over 100K employee records


United Nations data breach exposed over 100K employee records

Security researchers at Sakura Samurai have discovered a vulnerability related to the United Nations databases, which allowed them to access over 100,000 personal records and credentials belonging to U.N. employees.

The research team has discovered the breach while looking for security issues to report to the UN under its vulnerability disclosure program. During their analysis the researchers found an exposed subdomain for UN body the International Labour Organization (ILO) that was leaking .git contents, including Git credentials. Using these credentials the team was able to takeover a legacy MySQL database and a survey management platform belonging to the International Labour Organization. Exfiltration of these credentials was done with the help of the git-dumper tool.

While the MySQL database and the survey management platform were fairly abandoned in nature and contained hardly anything of use, researchers found a subdomain on the United Nations Environment Programme (UNEP) that was also leaking GitHub credentials.

“Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects we found multiple sets of database and application credentials for the UNEP production environment. In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases,” the researchers said.

In total, the team found over 100,000 employee records including names, ID numbers, gender, pay grade, records of travel details, work sub-areas and departments, evaluation reports and funding source records.

The researchers told Bleeping Computer that they contacted U.N. over the issue on January 4, 2021, and the vulnerability was patched within a week.

Back to the list

Latest Posts

Vulnerability summary for the week: January 15, 2021

Vulnerability summary for the week: January 15, 2021

A weekly vulnerability digest.
15 January 2021
Iranian cyberspies took advantage of Christmas to launch spearphishing attacks

Iranian cyberspies took advantage of Christmas to launch spearphishing attacks

The Charming Kitten hackers sent fake text messages from “Google Account Recovery” and fake emails with Christmas content.
15 January 2021
NSA: Companies should use only designated enterprise DNS resolvers for DNS traffic

NSA: Companies should use only designated enterprise DNS resolvers for DNS traffic

DoH is not a panacea and does not guarantee protection from hackers, the NSA warns.
15 January 2021