The organisers of the Black Hat security conference have apologised for accidentally sending password reset emails to 7,500 delegates that some took to be evidence that the event's database had been hacked to fuel a phising campaign.
Visitors to Black Hat, which began on 21 July, count themselves some of the most justifiably paranoid people on earth, so suspicions were heightened when inboxes started filling with emails from itn-international.com with the subject line ' Your admin password', followed by the following message:
You have requested a new password. Here are your details:
To sign in, please go to this URL:
If such a gauche communication had been a phishing scam or prank that would have been bad enough but it turned out to be genuine message from the event's organisers.
“We love to tease people that your systems need to be ready to hold their own if joining the Black Hat network. In this frame of mind, the community very correctly expected a prank or act of malice.,” said Black Hat general manager, Trey Ford, using a mix of humour and contrition to hide his obvious embarrasment.
“For those of you intimately acquainted with Black Hat, our show is powered by an army of volunteers - they handle everything from building classrooms for training, proctoring speakers and sessions, to checking you in at registration,” he added, before explaining that an out-of-his/her-depth individual had sent the email by mistake.
“The email this morning was an abuse of functionality by a volunteer who has been spoken to. This feature has since been removed as a precautionary measure.”
For Black Hat delegates, the panic is over even if the organisation will find itself on the end of jibes for some time to come.
As some have pointed out, it wasn't simply that the email was sent at all that raised concerns but the structure of the whole communication from top to bottom.
“The volunteer's behaviour doesn't explain away the phishiness factors. It sounds as though the BlackHat conference might indeed have sent you an email of this sort. Just not this one,” said Paul Ducklin of security company Sophos, not himself attending the event.