Misconfigured server leaves Elsevier users’ credentials open to the public internet

• The incident has affected people from universities and educational institutions from across the world.
• Most of the affected users had .edu (education institute) accounts, either belonging to students or teachers.

Elsevier, the scholarly paper publisher giant, has exposed its users’ login credentials on the internet following a misconfiguration in a server. The incident has affected people from universities and educational institutions from across the world.

The big picture - Mossab Hussein, the chief security officer at cybersecurity company SpiderSilk told Motherboard that the unprotected server in question has exposed user email addresses and passwords. Most of the affected users had .edu (education institute) accounts, either belonging to students or teachers. The passwords appeared to be stored in plain text format.

“Most users are .edu [educational institute] accounts, either students or teachers. They could be using the same password for their emails, iCloud, etc.” Hussein told Motherboard.

The number of users impacted in the data leak is unknown. It is also not clear as for how long the server was exposed on the internet.

However, the data itself was displayed via Kibana, a popular tool for visualizing and sorting data.

What actions were taken - Elsevier immediately took the matter in hand and secured the leaky server. The firm is investigating the matter and trying to find out the reason behind the data leak. As a precautionary measure, it was rolled out password reset links to users.

“The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused,” An Elsevier spokesperson told Motherboard in a statement.

The company has also informed the data protection authority about the incident.