A group of cybersecurity researchers from Sakura Samurai accessed around 100,000 personal records and login credentials of United Nations’ (UN) employees that were exposed in a data breach. Sakura Samurai is an ethical hacking and security research group appointed to report security flaws to the UN under its vulnerability disclosure program and a Hall of Fame.
During the vulnerability discovery, the research team found an open subdomain for the UN body, the International Labor Organization (ilo.org), which gave them access to Git credentials. The researchers then exfiltrated the Git credentials tool, git-dumper, to take over a legacy MySQL database and a survey management platform. Sakura Samurai group also discovered an exposed subdomain of the UN Environment Program (UNEP), which was also exposing Git credentials.
Exposed Personal Data
According to researcher John Jackson, a massive amount of Personally Identifiable Information (PII) was exposed, including:
Two documents containing more than 102,000 travel records, including employee IDs, numbers, names, employee groups, travel justification, start and end dates, length of stay, approval status, and destinations.
Two documents that contain more than 7,000 records related to HR Nationality Demographics, including employee name, ID numbers, person’s nationality, Gender, employee pay grade, organization work unit Identification number and unit text tags.
One document of Generalized Employee Records (contained more than 1,000 records)
Project and Funding Source Records (more than 4,000 records)
Evaluation Reports (contained details of 283 projects)
Data Breach Impact
The Sakura Samurai team claimed they were able to download a lot of private password-protected GitHub projects and found multiple sets of database and application credentials for the UNEP production environment. In total, they found seven additional credential-pairs, which could have resulted in unauthorized access to multiple databases.
“We decided to stop and report this vulnerability once we were able to access PII that was exposed via Database backups that were in the private projects,” Sakura Samurai said.