The personal information of tens of thousands of members of the Internet Society (ISOC) has been exposed in a data security breach.
International non-profit organization ISOC was founded in 1992 with the mission to ensure open internet development by enhancing and supporting internet use for individuals and organizations worldwide.
Clario researchers came across the unsecured data on December 8 2021 in an open and unprotected Microsoft Azure blob repository containing millions of files. The team subsequently worked with independent cybersecurity researcher Bob Diachenko to report the incident.
Data exposed in the blob included the full names of ISOC members together with their residential addresses, email addresses, gender, login details and password hash. The information was stored in json files.
"The open and unprotected Microsoft Azure blob repository contained millions of files with personal and login details belonging to ISOC members and potentially putting their privacy at risk," noted researchers in an incident report published today.
They added: "Based on the size and nature of the exposed repository, we can assume that all of the members' login and adjacent information was open to the public internet for an undefined period of time."
Researchers reported the incident to ISOC via email on the day of the leak's discovery. ISOC responded by launching an investigation into the leak and securing the data.
In a comment dated December 15, ISOC attributed the security breach to a misconfiguration error by their management system provider.
"We have confirmed that the association management system we use was configured incorrectly by MemberNova, which made some Internet Society member data publicly accessible," said the society.
ISOC added that its investigation had not revealed "any instances of malicious access to member data as a result of this issue."
The society said that individuals who were impacted by the incident were notified of the breach "before the holidays."
Clario researchers commented that the breach could damage society's reputation and put ISOC members at risk of cyber-attacks.
They noted: "As the organization works in the online world and is viewed as an upholder of standards and best practice, it could be particularly embarrassing if this had come out."