Twitter has been forced to take down thousands of breached email addresses and passwords from US and global health organizations first disseminated by alleged Neo-Nazi groups.
Rita Katz, director of SITE Intelligence Group, said the log-in combos were linked to the US National Institutes of Health (9938), Centers for Disease Control and Prevention (6857), the World Bank (5120), the Gates Foundation (269), Wuhan Institute of Virology (21) and the World Health Organization (2732).
She tweeted that “the far-right seized on the data with a harassment campaign as part of a months-long initiative to weaponize the pandemic.”
Right-wing groups have been blamed for spreading fake news and questioning scientific evidence about the COVID-19 pandemic.
“The far-right is growing an enormous capacity to disseminate such content—from conspiracy theories to ‘hacked’ data like yesterday’s,” said Katz.
However, it’s not clear whether these groups were behind the original hacking of the leaked accounts.
Katz explained that they appear to have been first posted to 4chan, although they subsequently went up on Pastebin and Twitter.
The BBC, which revealed the news of Twitter’s takedown efforts, claimed that at least some of the data was sourced from old attacks.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, explained that stolen credential lists like this are widely available on dark web marketplaces and hacking forums.
“Most of these types of password collections contain a considerable number of redundant, outdated or even deliberately fake data. Given that most business-critical systems now use 2FA and other security mechanisms to prevent password-reuse attacks, I don’t see any material risks stemming from the reported ‘leak’,” he added.
“The impacted organizations should, however, rapidly conduct an internal investigation to ascertain they didn’t fall victims to a sophisticated data breach amid the pandemic.”