Click to Skip Ad
Closing in...

Thousands of email addresses and passwords from CDC, WHO, and more leaked online

Published Apr 22nd, 2020 5:26PM EDT
Coronavirus USA
Image: MARTIAL TREZZINI/EPA-EFE/Shutterstock

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

  • Nearly 25,000 email addresses and passwords from several organizations that are involved in dealing with the novel coronavirus pandemic have been shared online.
  • Email accounts from the CDC, Gates Foundation, NIH, WHO, and the World Bank were shared online. Some of the WHO credentials were verified.
  • Far-right groups have been using the information to spread disinformation and fuel COVID-19 conspiracy theories.
  • Visit BGR’s homepage for more stories.

One of the worst things that can happen to authorities scrambling to deal with a life-threatening disease like COVID-19 is a security breach. And that’s apparently what has happened, as unknown individuals published nearly 25,000 email addresses and passwords from various organizations, including the CDC, Gates Foundation, NIH, WHO, and the World Bank.

The login credentials were dumped online, and right-wing activists have been making use of them. It’s unclear when the security breaches occurred and who was responsible for the hacks and the dissemination of information, but the results are troubling nonetheless. Some of these passwords can still be used to access email addresses.

The SITE Intelligence Group that monitors online extremism and terrorist groups told The Washington Post that the email logins were shared on Sunday. By Monday, they were already being used in hacking and harassment attempts by far-right extremists.

“Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues,” SITE’s executive director Rita Katz said. “Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the COVID-19 pandemic.”

It started on 4chan, then the information moved to Pastebin, and then it showed up on Twitter and far-right extremist channels on Telegram. The largest group of emails belonged to NIH (9,938), followed by the CDC (6,857), World Bank (5,120), and WHO (2,732).

Australian cybersecurity expert Robert Potter said some WHO email address and password combinations were real. As you might have guessed, some people used “password” as their password.

“Their password security is appalling,” Potter said about the leaked WHO credentials. “Forty-eight people have ‘password’ as their password.” Others used their own first names or “changeme.” The WHO credentials came from a hack in 2016, Potter said. It’s unclear where the other credentials originated, or who was able to obtain them. Some of them may have been purchased from the dark web.

Neo-Nazi groups have been using the information to disseminate and fuel COVID-19 conspiracy theories. One group said that data from these email addresses “confirmed that SARS-CoV-2 was, in fact, artificially spliced with HIV,” which is one of the coronavirus theories going around right now. WHO recently said that the novel coronavirus is of animal origin, and there’s no indication that the COVID-19 virus was engineered in a lab.

Chris Smith Senior Writer

Chris Smith has been covering consumer electronics ever since the iPhone revolutionized the industry in 2008. When he’s not writing about the most recent tech news for BGR, he brings his entertainment expertise to Marvel’s Cinematic Universe and other blockbuster franchises.

Outside of work, you’ll catch him streaming almost every new movie and TV show release as soon as it's available.