Security Affairs
Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

National Safety Council data leak: Credentials of NASA, Tesla, DoJ, Verizon, and 2K others leaked by workplace safety organization

The National Safety Council leaked thousands of emails and passwords of their members, including companies such as NASA and Tesla. The National Safety Council has leaked nearly 10,000 emails and passwords of their members, exposing 2000 companies, including governmental organizations and big corporations. The National Safety Council (NSC) is a non-profit organization in the United […]

National Safety Council leak nasa tesla

The National Safety Council leaked thousands of emails and passwords of their members, including companies such as NASA and Tesla.

The National Safety Council has leaked nearly 10,000 emails and passwords of their members, exposing 2000 companies, including governmental organizations and big corporations.

The National Safety Council (NSC) is a non-profit organization in the United States providing workplace and driving safety training. On its digital platform, NSC provides online resources for its nearly 55,000 members spread across different businesses, agencies, and educational institutions.

However, the organization’s website was left vulnerable to cyberattacks for five months. The Cybernews research team discovered public access to the web directories that exposed thousands of credentials.

Among a long list of leaked credentials were employees of around 2000 companies and governmental entities, including:

  • Fossil fuel giants: Shell, BP, Exxon, Chevron
  • Electronics manufacturers: Siemens, Intel, HP, Dell, Intel, IBM, AMD
  • Aerospace companies: Boeing, Federal Aviation Administration (FAA)
  • Pharmaceutical companies: Pfizer, Eli Lilly
  • Car manufacturers: Ford, Toyota, Volkswagen, General Motors, Rolls Royce, Tesla
  • Governmental entities: Department of Justice (DoJ), US Navy, FBI, Pentagon, NASA, The Occupational Safety and Health Administration (OSHA)
  • Internet service providers: Verizon, Cingular, Vodafone, ATT, Sprint, Comcast
  • Others: Amazon, Home Depot, Honeywell, Coca Cola, UPS

These companies likely held accounts on the platform to access training materials or participate in events organized by the NSC.

The vulnerability posed a risk not only to NSC systems but also to the companies using NSC services. Leaked credentials could have been used for credential stuffing attacks, which try to log into companies’ internet-connected tools such as VPN portals, HR management platforms, or corporate emails.

Also, the credentials could have been used to gain initial access into corporate networks to deploy ransomware, steal or sabotage internal documents, or gain access to user data. Cybernews reached out to the NSC, and it quickly fixed the issue.

NSC exposed web folder
Exposed web folder | Source: Cybernews

Public access to web directories

The discovery of the vulnerability was made on March 7th. The Cybernews research team found a subdomain of the NSC website, which was likely used for development purposes. It exposed the listing of its web directories to the public, enabling an attacker to access the majority of files crucial for the operation of the web server. Among the accessible files, researchers also discovered a backup of a database storing user emails and hashed passwords. The data was publicly accessible for 5 months, as the leak was first indexed by IoT search engines on January 31st, 2023.

In total, the backup stored around 9500 unique accounts and their credentials, with nearly 2000 different corporate email domains belonging to companies spreading across various industries.

National Safety Council leak nasa tesla

Having a development environment accessible to the public shows poor development practices. Such environments should be hosted separately from the production environment’s domain and must refrain from hosting actual user data, and, of course, it should not be publicly accessible.

NSC user table schema
User Table Schema | Source: Cybernews

As a huge number of emails were leaked, platform users could potentially experience a surge in spam and phishing emails. It’s advisable for them to externally verify the information contained in emails and exercise caution when clicking links or opening attachments.

Are the leaked passwords crackable?

Give a look at the original post @

Original post at https://cybernews.com/security/national-safety-council-data-leak/

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – National Safety Council, NASA)