Scientists’ Usernames, Passwords Possibly Stolen in Synchrotron HackScientists’ Usernames, Passwords Possibly Stolen in Synchrotron Hack

Hackers have allegedly hacked the Australian Synchrotron User Portal website, potentially stealing a database containing email addresses and encrypted passwords of scientists and researchers who request time to use the Synchrotron atom-smashing facility.

While the facility is used by scientists to research sub-atomic particles, biomedicine and manufacturing, it’s unclear what the leveraged vulnerability was and how could this incident affect the facility. Following the breach, an email has been sent to all users requesting a preventative password change to avoid any other security issues caused by stolen credentials.

“The Australian Synchrotron apologises to users of the Australian Synchrotron User Portal for an incident that occurred on Friday the 27th of January whereby the email address and encrypted password of registered users were obtained by unauthorised persons though the exploitation of a security vulnerability,” reads the email sent to all those potentially affected.

It’s unclear how the passwords were stored and the level of encryption used to scramble them. If they were unsalted MD5 hashes, it could raise serious security concerns, as they could easily be decrypted and viewed in plain text. Plus, if affected scientists used the same credentials for other websites, as cybercriminals could use them to gain access to other accounts and data.

However, a Synchrotron spokesperson said the affected database and systems were isolated from other critical systems and the chances for cybercriminals to have accessed other databases are remote.

“As a precautionary measure, all users have been required to reset their passwords,” added Synchrotron’s spokesperson.

Scientists who use the affected portal are strongly encouraged to change their passwords and generate new ones using security best practices.