The IT security certification body that runs the Certified Ethical Hacker program suffered a hack attack.
The EC-Council said the same hackers who ran the DNS poisoning attack that resulted in the defacement of its website in late February also managed to access the control panel for its website after breaking into the systems of a third-party registrar.
This compromised access allowed the abad guys to get around security controls and get into the security organization’s email system, as a breach notice from the EC-Council to its members explained:
“EC-Council uses a cloud service provider for enterprise email. Once the domain privilege was attained, the hacker then issued a password reset request to the email service provider. This circumvented EC-Council’s best practices of using complex passwords and two-factor authentication. We have informed the service provider of this password reset policy vulnerability and are hopeful that they have already rectified it for the benefit of the IT community in general.
“With administrative access to the email service provider, the hacker was able to compromise a small number of email accounts before the EC-Council security team was able to respond to the breach.This resulted in unauthorized access to messages in those specific email boxes for a short duration of time.”
The investigation into the breach is still ongoing and it remains unclear if any member data suffered exposure. Credit card transactions run through a different system that did not suffer the attack but any private information sent by email might have suffered compromise.
“As a precautionary measure, we are writing to notify members that have sent any personally identifiable information to EC-Council via email that there is a possibility that these may have been exposed through email,” the breach notification from the EC-Council said. “No credit card data was compromised.”
The U.S.-based EC-Council runs the Certified Ethical Hacker program, C|EH and other certifications. The organization asks members to submit sensitive data such as passport details as part of its registration process. The leak of this data is obviously the main concern raised by the breach.
In response to the incident, the EC-Council vowed to tighten security.