San Francisco Airport Hackers Steal User Logins

Written by

San Francisco International Airport (SFO) has revealed that some users of its websites may have had their logins stolen after a cyber-attack last month.

In a notification posted last week, the major transport hub revealed that its SFOConnect.com and SFOConstruction.com sites came under attack in March.

The former appears to be a general-purpose information site for employees and passengers while the latter covers projects, bids and contracts related to the airport.

“The attackers inserted malicious computer code on these websites to steal some users’ login credentials. Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO,” the breach notification revealed.

“What information was involved? At this time, it appears the attackers may have accessed the impacted users’ usernames and passwords used to log on to those personal devices.”

The airport took the affected websites offline following the incident and forced a reset of all SFO-related email and network passwords on March 23. The offending malicious code has also apparently been removed.

However, those possibly affected were urged to take action.

“If you visited either website outside of SFO’s managed networks and using Internet Explorer on a Windows-based device, you should change the password you use to log in to that device,” SFO warned. “You should also consider changing any credentials that use the same username and password combination.”

Colin Bastable, CEO of cyber-training and awareness firm Lucy Security, argued that SFO may have been exposed by employees using work credentials on subsequently breached sites.

“From a cursory glance in the darker corners of the web, I think the biggest risk to flysfo.com is from their employees using official email addresses for personal business on sites like Zynga and Myfitnesspal.com,” he said. 

“I also found around 8,00 compromised credentials from late February featuring a couple of flysfo.com email addresses. Perhaps one of these opened the door, allowing the malicious code to be dropped in the SFO websites."

The SFO Construction site is currently undergoing maintenance, while the other appears to be back up and running.

What’s hot on Infosecurity Magazine?