UN Server Hacked, Passwords Leaked

More than a thousand usernames and passwords from the United Nations (UN) have been published online by hackers. However, initial indications are the attack may not have uncovered anything particularly important.

The information was published on Pastebin, a website commonly used by hackers releasing details, but who don't want their own sites to be swamped by high traffic. It was published in the name of 'Team Poison', arguably one of the two biggest hacking groups, alongside the better-known Anonymous. The two groups are believed to have recently formed an alliance to target financial institutions.

United Nations a "Corrupt Organization"

According to a related document, the hacking effort was provoked by a belief the UN is a corrupt organization that pushes for a "one world government" run by a "capitalist elite." (Source: theinquirer.net)

The user names and passwords, along with accompanying email addresses, appear to mostly come from the United Nations Development Program (UNDP), though staff of other UN groups are listed.

UNDP is a network which aims to help local governments in more than 175 countries work on programs such as reducing poverty, increasing democratic government, tackling Aids and dealing with environmental issues.

UN Passwords Woefully Inadequate

The attack reveals a major security problem for the UN. It appears many of the passwords are simply names, and some are as short as three characters.

Even worse, a large number of UN users used the exact same passwords -- a major security compromise. To cap things off, it appears some users have been able to access the system with only a user name, leaving the password blank.

UNDP now says the hacked server has been identified and taken offline. It reports that server has been in use since 2007 and none of the passwords are currently active. It also stressed that the public website itself was not compromised and there is no security risk for visitors. However, some experts have speculated the attackers were able to access the data through a flaw in the website itself.

A post on the Twitter account for Team Poison questions the claim that the affected server has been taken down. (Source: bbc.co.uk)