Huddle leak: KPMG’s sensitive financial files exposed in cybersecurity loophole


Huddle was not hacked, instead a security snafu issued multiple security tokens.

computer typing

A cybersecurity bug in Huddle, a workplace collaboration software used by more than 160,000 organisations including the UK’s National Health Service (NHS), Home Office and HM Revenue & Customs, reportedly resulted in sensitive user files being exposed online.

According to the BBC, which discovered the flaw, financial information from consultancy giant KPMG was found to be accessible with credentials not linked to the firm. A journalist reportedly found the bug by accident after trying to access a shared work diary.

Huddle claimed the issue affected “six individual user sessions between March and November this year” and confirmed that a “third party” had accessed the BBC’s account – but said no files were stolen.

The vulnerability has been resolved, it added.

Describing the flaw, a representative said that if two sign-ins occurred within 20 milliseconds of each other, the users would be given the same authorisation code.

This meant the first person to click the link at the next stage of the two-factor process would be granted entry as the administrator. The system has now been changed so that two user accounts will never be sent the same code at once, Huddle noted.

“We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated,” the company told the BBC.

“We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologise to them unreservedly.”

Luckily for its userbase, which includes governments, financial institutions and universities, the firm said the problems were not believed to be widespread.

But some experts said the discovery shows all software can have bugs – even the ones claiming to offer ultra-secure protections for user information.

“Clearly, as demonstrated by this situation, there is a lack of security,” said Bill Evans, senior director at One Identity, a cybersecurity and authentication company.

Evans added: “In Huddle’s defence, it was forthcoming regarding the bug and it has been fixed. Moreover, it was clear that this bug was encountered incredibly infrequently.

“But nonetheless, it was a security flaw from a company that bills itself as a security-minded company, stewards of sensitive and confidential information.”

KPMG did not immediately respond to a request for comment from IBTimes UK.


Leave A Reply