Email addresses and passwords allegedly from NIH, WHO and Gates Foundation, are dumped online
By Craig Timberg and SOUAD MEKHENNET
The Washington Post
Anonymous activists have posted nearly 25,000 email addresses and passwords allegedly belonging to the National Institutes of Health, the World Health Organization, the Gates Foundation and other groups working to combat the coronavirus pandemic, according to SITE Intelligence Group, which monitors online extremism and terrorist groups.
While SITE was unable to verify whether the email addresses and passwords were authentic, the group said the information was released on Sunday and Monday and almost immediately used to foment attempts at hacking and harassment by far-right extremists. An Australian cybersecurity expert, Robert Potter, said he was able to verify that the WHO email addresses and passwords were real.
The lists, whose origins are unclear, first appear to have been posted to 4chan, a message board notorious for its hateful and extreme political commentary, and later to Pastebin, a text storage site, Twitter and to far-right extremist channels on Telegram, a messaging app.
“Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues,” said Rita Katz, SITE’s executive director. “Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the covid-19 pandemic.”
The report by SITE, based in Bethesda, Maryland, said the largest group of alleged emails and passwords was from the NIH, with 9,938 found on lists posted online. The Centers for Disease Control and Prevention had the second-highest number, with 6,857. The World Bank had 5,120. The list of WHO addresses and passwords totaled 2,732.
Smaller numbers of entries were listed for the Gates Foundation, a private philanthropic group whose co-founder, Microsoft co-founder Bill Gates, last week announced $150 million in new funding to combat the pandemic. Also targeted was the Wuhan Institute of Virology, a Chinese research center in the city where the pandemic began that has been accused of a role in triggering the outbreak.
The NIH, CDC, WHO and World Bank did not immediately reply to requests for comment Tuesday evening. The Gates Foundation said in a statement: “We are monitoring the situation in line with our data security practices. We don’t currently have an indication of a data breach at the foundation.”
The FBI declined to comment.
Twitter spokeswoman Katie Rosborough said, “We’re aware of this account activity and are taking widespread enforcement action under our rules, specifically our policy on private information. We’re also taking bulk removal action on the URL that links to the site in question.”
Potter, chief executive of Australian company Internet 2.0, said he was able to gain access into WHO computer systems using email addresses and passwords posted on the Internet. The WHO has come under heavy criticism, including from President Donald Trump, who suspended funding to it because of its response to the coronavirus and for allegedly being too deferential to China.
“Their password security is appalling,” Potter said of the WHO. “Forty-eight people have ‘password’ as their password.” Others, he said, had used their own first names or “changeme.”
Potter said the alleged email addresses and passwords may have been purchased from vendors on the dark web, a portion of the Internet that is not indexed by most search engines and where hacked information often is posted for sale. He said the WHO credentials appear to have come from a hack in 2016.
SITE’s Katz said that while material from old hacks does appear on the dark web occasionally, “we have not yet found any rock-solid proof of that for this specific case.”
References to the hacked information already are being deployed online to fuel disinformation, including erroneous posting linking HIV, the virus that causes AIDS, to the coronavirus.
Among the most prominent Telegram venues to share the information was the neo-Nazi channel “Terrorwave Refined,” a prominent recruiting and support channel for neo-Nazi groups such as Azov Battalion, The Base, and Nordic Resistance Movement. In the past four months, the number of users subscribed to Terrorwave Refined has increased by 30%, with the channel now hosting over 5,300 followers.
Terrorwave Refined shared Tweets and a thread on 9chan, another message board popular with extremists, containing the addresses and passwords. Terrorwave Refined posted a meme that implied that information seized through the email addresses and passwords “confirmed that SARS-Co-V-2 was in fact artificially spliced with HIV. . .”
A Twitter post with links to the data said, “Anons know what to do . . . make this go viral” — a likely reference to anonymous followers.
The Washington Post’s Matt Zapotosky contributed to this report.