Hackers Breach San Francisco Airport WebsitesOfficials Say Usernames and Passwords Stolen
San Francisco International Airport has disclosed that hackers stole usernames and passwords from two of its websites in March.
The sites hacked were SFOConnect.com, which provides updates about the airport to passengers and travelers, and SFOConstruction.com, which contains information about construction and building projects at the airport, according to a recent notification.
As of Monday, the SFOConnect site was functional, providing information about passenger services, flight information and the effects of the COVID-19 pandemic on the airport. The SFOConstruction site, however, was still down and only provided a link to the breach notification page.
While the breach notification notes that the incident happened in March and that airport authorities are still investigating, officials did not disclose how many passwords and usernames may have been compromised or if the breach affected passengers, airport employees or both.
An airport spokesperson did not immediately reply to a request for comment.
San Francisco International Airport ranks as the seventh-busiest airport in the U.S., and it's website says the airport normally handles about 58 million passengers a year. The airport is owned and operated by the city of San Francisco.
In the breach, hackers inserted malicious code into the two websites to steal users' login credentials, according to the notification. The notification does not clarify whether the attack started with phishing email or an exploit of a vulnerability.
"Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by San Francisco International Airport," according to the notification.
Once the hacking was identified, the two sites were taken down and malicious code was removed, according to the notification. Airport officials forced a reset of all email and network passwords on March 23.
Airport officials are now urging anyone who may have visited these two sites or set up an account to reset their passwords and usernames, especially if they use a Windows-based device.
While it's not clear what the motivation was behind this attack, the two sites appear to have relied on single-sign-on authentication, which made them more susceptible to this type of hacking, says Fausto Oliveira, principal security architect at security firm Acceptto.
"The SFOConstruction.com website requires a registration code that is published on the website itself, hardly an effective measure to prevent account takeover on first use and something that can be exploited easily by threat actors using low effort social engineering attacks," Oliveira tells Information Security Media Group. "Likewise, SFOConnect.com reveals data that helps understand the makeup of the information hosted, and there is a SharePoint website that contains airport commission information. This type of data should never be exposed to unauthenticated users."
Oliveira says that even a simple two-factor authentication process may have stopped some of the data from being exposed.
In another recent hacking incident affecting an airport, officials at the Albany (New York) International Airport disclosed in January that they paid off the Sodiniokibi ransomware gang after a Christmas attack on the airport's network. The incident remains under investigation by the FBI and the New York State Cyber Command (see: Albany Airport Pays Off Sodinokibi Ransomware Gang: Report).