San Francisco International Airport has been hacked, with data stolen from two subsidiary sites, SFOConstruction.com and SFOConnect.com.

The attack occurred last month and involved the theft of login credentials such as usernames and passwords. SFO does not refer to those passwords being encrypted, so it can be presumed that the passwords may have been in plain text.

“The attackers inserted malicious computer code on these websites to steal some users’ login credentials,” the April 7 breach notice reads. “Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO.”

Why it specifically referenced Internet Explorer, which had a 1.71% market share as of March, is anyone’s guess. That it would do so might also reflect its cybersecurity practices.

“The San Francisco International Airport data breach is yet another example of the importance of IT and security hygiene,” James Carder, chief security officer and vice president of security intelligence firm LogRhythm Inc., told SiliconANGLE. “While the initial access or exploit point leveraged by the attacker to steal credentials and upload malicious code hasn’t been disclosed, one can assume that the attacker leveraged a known vulnerability in these websites specifically.”

Carder added that it’s likely the SFO websites were not specifically targeted and that the attacker stumbled upon vulnerable web servers that could be exploited. “Connected to these websites are a number of links and connections to sites for employees to information,” he noted.

Erich Kron, security awareness advocate at security awareness training company company KnowBe4 Inc., said this is another example where hackers break into one website not with the intention of getting information there but to steal credentials to try in other places using a trick called credential-stuffing

“Attackers know that people tend to reuse passwords across different websites and take credentials collected from other sites, then try to use them to log into more valuable websites, such as banks,” he said. “It is vital to ensure that people are taught about the dangers of reusing passwords across multiple websites and that people enable multifactor authentication, such as a text message with a code or a code generated from an app on a smart phone, wherever possible. That way, if the bad actors have the username and password, they still cannot access the account easily.”

Photo: Zoxcleb/Wikimedia Commons