- CNBC mistakenly leaked passwords as part of an article it posted Tuesday intended to help promote awareness over password security practices.
- The story was delivered without SSL/TLS encryption and also included a tool that collected and sent passwords to advertising networks and other parties with trackers on CNBC's page.
- The story was promptly removed from CNBC’s website. No estimates of the number of people affected was available.
CNBC had the best of intentions—the tool embedded in the story was designed to allow readers to evaluate their passwords and provide them an estimate of how long it would take a hacker to crack it.
A note in the article said the tool would not store the passwords, but, as it turned out, that was incorrect. Traffic analysis showed it was storing the passwords in Google Docs. To top it off the passwords were sent to advertising networks and other parties with trackers on CNBC's page, according to Ashkan Soltani, a privacy and security researcher. Recipients of the passwords included Google's DoubleClick advertising service and Scorecard Research, an online marketing company.
The article also wasn't delivered using Secure Socket Layer (SSL) /Transport Security Layer (TLS). SSL/TLS certificates encrypt web server and web browser communication over a network. Without SSL/TLS, someone on the same network could have seen any password sent to CNBC.
More companies are moving to adopt SSL/TLS, but the practice still goes under-used. If a site does have the certificates, a padlock will appear in the URL bar.
In December, cloud and mobile security vendor Wandera said it discovered 16 companies that failed to encrypt payment card information in transit in their mobile apps. Wandera said the apps were not using SSL/TLS. One organization, in an effort to promote online security, issued 1 million digital security certificates for free.