IE 11 is not supported. For an optimal experience visit our site on another browser.

Logins of WHO, Gates Foundation employees circulate on fringes of the internet

Analysis of the information found it had likely been collected from previous breaches, a practice that is not uncommon in the internet's black market for data.
Image: FILE PHOTO: A logo is pictured outside a building of the WHO in Geneva
The World Health Organization (WHO) building in Geneva, Switzerland, on Feb. 6, 2020.Denis Balibouse / Reuters file

Documents containing email addresses and purported login information belonging to medical researchers and nonprofit employees working to address the coronavirus outbreak are circulating online among fringe conspiracy theorists — a warning sign that they may soon become the target of online harassment.

Some of the documents are dated as early as Sunday, April 19, but were spread widely on Twitter and fringe message board 4chan on Tuesday, alongside false claims that some major organizations had suffered data breaches.

But analysis of the information by cybersecurity experts found that it had likely been collected from previous breaches, a practice that is not uncommon in the internet's black market for data.

NBC news was able to find the documents containing the account information on Pastebin, a plain text site frequently used by hackers to dump their findings. Three of the documents constitute 277 email addresses from the Bill and Melinda Gates foundation, 20 from the Wuhan Institute of Virology (WIV), and nearly 7,000 from the World Health Organization. All three organizations have been the subject of conspiracy theories blaming them for the spread of the coronavirus.

An analysis of the email addresses found that while they were at least largely legitimate accounts, it's unlikely they were recently hacked.

Analysis by Steve Ragan, a researcher at the internet infrastructure and cybersecurity firm Akamai Technologies, on some of the leaked email addresses found that they had all been leaked in previous breaches, indicating that whoever made the documents had simply searched for known emails with the WHO, WIV and Gates Foundation's domain names. In many cases, they dated back to hacks from years ago, like the Tumblr breach of 2013 or Dropbox in 2016.

The account credentials, mostly links to the Pastebin text files, were dumped onto 4chan, a rightwing extremist forum, and 9chan, a recently created offshoot.

Chatter about the existence of the info dump then moved around pro-Trump blogs, Reddit’s r/conspiracy forum and right-wing Twitter accounts, which implored users to publicize any documents found by logging into the accounts.

The WHO and WIV didn't immediately respond to requests for comment. A Gates Foundation spokesperson said in an email that "we don’t currently have an indication of a data breach at the foundation."

Even though those organizations don't appear to have suffered any data breaches, the existence of the documents serves as a wake-up call that anyone who works for those organizations may face online harassment and are particularly vulnerable if they still use that same password with any of their accounts.

"One of the reasons you don't reuse passwords is exactly what we're seeing today," Ragan said.

Bad actors using exposed passwords to log onto different websites is a technique that has fueled some of the most infamous data breaches in recent years.

In late December, hackers used login credentials that were previously exposed in other notorious hacks to log into unsuspecting Ring Doorbell accounts. The hackers then commandeered the camera and speakerphone, sometimes taunting children in their bedrooms with ominous music.

In February, because of the hacks, Ring forced users to use two-factor authentication, in which users have to enter a code sent to a secondary device to prove their identity.