Particle accelerator hacked: Boffins' hashed passwords beamed up

The Australian Synchrotron warns it's been wormholed, but not dangerously

UPDATE The Australian Nuclear Science and Technology Organisation (ANSTO) is investigating a computer security breach at the Australian Synchrotron that saw hackers steal scientists' usernames and passwords Friday.

Hackers of as yet unknown origin hit systems hosting the web portal where researchers from ANSTO and third parties can request time to use the Victorian atom-smashing facility. We're told miscreants stole brainiacs' email addresses and scrambled passwords.

The facility is used for a broad array of scientific and defense applications, from studying sub-atomic particles to biomedicine, pharmaceuticals, and manufacturing.

An email sent at 1am today to users of the Australian Synchrotron User Portal, seen by The Register, says the digital break-in occurred Friday, January 27 via an undisclosed vulnerability.

"The Australian Synchrotron apologises to users of the Australian Synchrotron User Portal for an incident that occurred on Friday the 27th of January whereby the email address and encrypted password of registered users were obtained by unauthorised persons though the exploitation of a security vulnerability," the email says. Immediate action has been taken to address this vulnerability and a comprehensive security review of the Australian Synchrotron User Portal is now underway, we're told.

The portal also requires users to fill out their names, academic qualifications, organisation, department, and position, and offers fields for street addresses, phone numbers, citizenship, and gender.

The Register has asked the Australian Synchrotron to comment on the scope of the security breach. A spokesperson for the lab was not immediately available to respond.

Boffinry nerve centre ... the Australian Synchrotron (click to enlarge)

Youtube Video

It is not known which hashing algorithm was used to one-way encrypt the passwords: let's hope it's not the outdated but tragically popular MD5, and instead something like bcrypt, PBKDF2, or bleeding edge Argon2. The facility has asked that members reset passwords anyway out of precaution.

Form filling ... a page to apply to use the facility (click to enlarge)

If the passwords can be cracked, any eggheads who have reused the same password and email combination on other websites face losing control of those accounts too. ®

UPDATE: A spokesperson for the Synchrotron's been in touch to the hacked network is isolated from the rest of the agency and that ANSTO can rule out other systems beyond the user database having been compromised.

The database is also entirely isolated from the home of Australia's sole nuclear reactor, on ANSTO’s Lucas Heights campus.

“As a precautionary measure, all users have been required to reset their passwords,” the spokesperson said.


Biting the hand that feeds IT © 1998–2017