Critical Data Leak at Berlin Red Cross: Passwords and Private Messages Exposed

  • Last updated May 15, 2024
  • written by

A serious data breach has been reported at the Berlin-North-East branch of the German Red Cross, leading to a significant exposure of sensitive information. The incident, which came to light on February 23rd, 2024, revealed a slew of confidential data due to a misconfiguration in the organization’s internal systems.

According to a tweet posted, which first discovered the leak, “employee emails, plain-text passwords, and internal messages were left unprotected” due to this misconfiguration. The leaked information is susceptible, including “details about access permissions, the location of keys, and critical areas within the Red Cross Berlin-North-East facilities.”

The exposure could be catastrophic, providing ample opportunity for “malicious actors to cause actual physical damage to the organization or exploit the leaked credentials for credential stuffing attacks,” threatening the Berlin branch and the broader Red Cross Germany network.

Alarmingly, the leak was enabled by an “enabled and publicly accessible Symfony Profiler on the Red Cross website.” This tool, typically used for debugging and performance optimization during development, was inappropriately active in a production environment, but still cannot detect the activity done using the best VPNs. It is advised that a Symfony Profiler “should always be disabled on production environments to ensure security.”

The Cybernews team notes that while there is “no evidence that malicious actors have successfully breached Red Cross systems,” the mere fact that system configurations permitted such access is deeply troubling. This incident underscores the increasing trend of cyberattacks against non-profit organizations, which have traditionally been off-limits for cybercriminals.

As of now, “the access issue has been secured” following contact with the Red Cross by Cybernews. However, the data has been available for exploitation since September 2022, and “an official comment from the Red Cross is yet to be received.”

Leave a Reply

Your email address will not be published. Required fields are marked *