[BreachExchange] Mensa Website Hacked After Britain’s Smartest Folk Failed To Secure Passwords
Destry Winant
destry at riskbasedsecurity.com
Tue Feb 2 10:18:26 EST 2021
https://www.forbes.com/sites/barrycollins/2021/01/30/britains-smartest-peoplemensafail-to-secure-passwords-properly/?sh=60e1d5e243f5
British Mensa, the society for people with high IQs, failed to
properly secure the passwords on its website, prompting a hack on its
website that has resulted in the theft of members’ personal data.
Eugene Hopkinson, a former director and technology officer at British
Mensa, stood down this week, claiming that the organization had failed
to secure the data of its 18,000 members properly, according to a
report in the FT.
Hopkinson claimed that the stored passwords of Mensa members were not
hashed, potentially allowing hackers to unscramble them.
That apparent security blunder became all the more serious this week
when the society admitted it had been the victim of a cyberattack. The
Mensa website is currently unavailable, merely displaying a message
saying “site under maintenance”.
Mensa held an emergency directors’ meeting today in which a source
tells me it was confirmed that the Mensa site had been hacked this
morning, using the credentials of one of the organization’s directors.
It was also confirmed at the meeting that there were logs of Mensa
members’ passwords stored in plain text. A Mensa member told the FT
that the society had sent him his password in plain text within the
past year.
Several stashes of Mensa personal data have been posted onto the
Pastebin website, although some have subsequently been removed from
the site.
Hopkinson told the FT that the Mensa website held lots of sensitive
information on its members, including payment details, instant
messaging conversations and IQ scores of both current members and
failed applicants.
“If a breach is found to have taken place, I have no faith that the
[Mensa] board and office will report it adequately... or take
sufficient mitigating action to prevent further harm,” Hopkinson wrote
in an open letter announcing his resignation. A fellow board member
resigned in protest at the same issue.
Mensa investigation
A spokesperson for Mensa told the FT that member passwords had been
encrypted and that the organization was in the process of hashing
passwords. The spokesperson denied that passwords were ever sent out
in plain text and that it had handed details of the cyberattack to
Britain’s Information Commissioner “with a view to pursuing a criminal
investigation”.
Mensa is a non-profit organization, open only to those people who
score in the 98th percentile or higher in a standardized IQ test.
I haven’t been able to reach Mensa for comment at the time of publication.
More information about the BreachExchange
mailing list