Two San Francisco International Airport Websites Got Hacked
- Hackers managed to plant malicious code on two websites used by the San Francisco International Airport.
- The code most likely overlaid a fake login form that asked for the user’s device credentials.
- All personnel passwords have been reset now, but about 8,000 usernames and passwords are already on the dark web.
The San Francisco International Airport (SFO) has released a notice of a data breach that circulated to the affected individuals. Apparently, hackers have managed to plant data-stealing code on “SFOConnect.com” and “SFOConstruction.com,” which have been cleaned by now. The airport has forced a reset of all email and network account passwords on March 23, 2020, while the sent notifications urge the recipients to reset their credentials too. Mainly, this incident concerns SFO personnel and not people who had traveled through the busy airport. To confirm this, you may send a message to “marcom@flysfo.com.”
As for the details of the website hack, not much has been revealed directly in the airport’s announcement. The notice mentions the compromise of credentials that relate to personal devices, so these could be laptops, tablets, and smartphones used in order to connect to SFO’s online platforms and cloud services. However, many of the employees are likely to be using the same credentials to access their devices and to login onto the SFO websites. This is precisely why the airport has decided to reset everything as a precautionary measure.
SC Media conducted its own investigation, trying to figure out more about what had happened. They found that some data that are shared on the dark web right now could have derived from this incident. More specifically, an IT defense testing firm, “Lucy Security,” has found around eight thousand credentials related to “flysfo.com.” These first appeared online in late February 2020, so it’s possible that it took SFO’s IT team a month or even more to realize the breach. As the same company speculated, the attackers may have stolen the device credentials by using spoofed forms loaded on the compromised websites by the malicious code.
Right now, one of the two websites remains offline (under maintenance), while the airport continues to operate on emergency personnel. It means the majority of its staff works from home, using corporate VPN tools to connect to the SFO services. Thus, the particular attack doesn’t look like it was a random effort, but rather a very specific attempt. Hopefully, this won’t affect the flight connections or any other of the SFO’s operations during these difficult times.