It’s unclear whether the alleged credentials were leaked through a breach of official systems or a part of an earlier data breach.
Some of the email addresses and passwords have been spread online
Around 25,000 email addresses and passwords allegedly related to the employees at health organisations the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), the National Institutes of Health (NIH), and the Bill & Melinda Gates Foundation among others working to fight the coronavirus outbreak were dumped online, according to a media report. Some unknown activists have also spread the credentials online via Twitter. The new revelation has emerged amid the COVID-19 pandemic that has impacted millions of individuals all across the globe.
SITE Intelligence Group, the non-governmental organisation (NGO) that tracks the online activities of extremist groups, found the dumped data and reported its spread on the Web, according to the Washington Post. There isn't any clarity whether the data was leaked through a breach of official systems or a part of an earlier data breach. The NGO was also not able to verify the authenticity of email addresses and passwords.
However, the group did reportedly mention that some hacks were attempted almost immediately after receiving the information on Sunday and Monday this week. The paper also quoted an Australian cyber-security expert who was able to verify the WHO email addresses and passwords and said that the alleged data might have been purchased from some dark Web vendors.
Some credentials, whose origins weren't clear, were initially posted to text storage portal Pastebin. A link to that data was also reportedly made public on Twitter and some far-right extremist channels on Telegram.
The group reportedly said that the largest group of purported data was from the NIH, with over 9,900 accounts found on online listings. That was followed by the alleged emails and passwords from the CDC and WHO.
“We are always working to ensure optimal cyber safety and security for NIH and take appropriate action to address threats or concerns. We do not comment on specific cyber-security matters, as such such information could be used to undertake malicious activities,” the NIH said in a statement issued pertaining to the matter, as quoted by the paper.
The WHO also released a statement confirming the incident reported by SITE and cited even a higher number of exposed credentials than the 6,835 number mentioned in the report. However, the agency responsible for international public health said that only 457 of the total exposed data were active and valid, and none of those were compromised. It also reset the passwords for the affected users as a precautionary measure.
The Gates Foundation, on the other hand, said that it didn't have an indication of a data breach. “We are monitoring the situation in line with our data security practices,” it said in a separate statement.
Since some data has been spread through Twitter, the microblogging network is taking down the URLs suspected to spread the information online.
“We're aware of this account activity and are taking widespread enforcement action under our rules, specifically our policy on private information,” said Twitter spokeswoman Katie Rosborough.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.