A state-owned French transportation giant has inadvertently exposed nearly 60,000 employees to identity fraud after leaking their personal information via an unsecured HTTP server, according to researchers.
A team at vpnMentor found the server on October 13, and deduced from the file names that the culprit was Régie Autonome des Transports Parisiens (RATP), which runs public transport across the French capital and beyond.
The organization apparently never replied to the team, but the French CERT was more responsive and shut the privacy snafu down “shortly after.”
The server was left “open and accessible to anyone with basic web browsing skills,” according to vpnMentor.
The team wrote that it contained an SQL database backup dating back to 2018 with over three million records. This featured the details of 57,000 RATP employees — including senior executives and the cybersecurity team.
Among the data were full names, email addresses, logins for their RATP employee accounts and MD5-hashed passwords.
“In theory, hackers could still crack some of the passwords by converting billions of plaintext passwords into MD5 hashes and seeing if any match with those stored on RATP’s server,” vpnMentor argued. “This wouldn’t take very long, as a basic modern commercial laptop is powerful enough to convert tens of billions of MD5 hashes per second.”
With the stolen information, threat actors could have targeted employees with phishing emails designed to elicit more sensitive data, and launched follow-on fraud attempts.
However, potentially even more serious was a separate folder containing source code related to RATP’s employee benefits web portal. Within the code were API keys that enabled access to the sensitive info about the website’s backend, the team wrote.
This included RATP’s GitHub account, which could be highly valuable to threat actors. Depending on the permissions granted by the keys, it could allow hackers to create or delete projects, deploy ransomware and embed malicious backdoors into RATP’s apps, websites, and network, the report noted.