Huddle leak: KPMG's sensitive financial files exposed in cybersecurity loophole
Huddle was not hacked and the company has now fixed the reported bug.
A cybersecurity bug in Huddle, a workplace collaboration software used by more than 160,000 organisations including the UK's National Health Service (NHS), Home Office and HM Revenue & Customs, reportedly resulted in sensitive user files being exposed online.
According to the BBC, which discovered the flaw, financial information from consultancy giant KPMG was found to be accessible with credentials not linked to the firm. A journalist reportedly found the bug by accident after trying to access a shared work diary.
Huddle claimed the issue affected "six individual user sessions between March and November this year" and confirmed that a "third party" had accessed the BBC's account - but said no files were stolen.
The vulnerability has been resolved, it added.
Describing the flaw, a representative said that if two sign-ins occurred within 20 milliseconds of each other, the users would be given a shared authorisation code.
If this happened, both users could be issued with the same authorisation code and redirected to the token issuer. In effect, both users would be authenticated as the same person.
In essence, both users take their authorisation codes to the token issuer and the first one to hit the issuer gets an authentication token as "User A", and the second one receives an error which stated "that authorisation code has already been used."
A spokesperson said: "With 4.96 million log-ins to Huddle occurring over the same time-period, the instances of this bug occurring were extremely rare.
"However, Huddle takes the security of its client data extremely seriously and the owners of any accounts that we believe may have been compromised by this bug have been notified.
"While this is an unfortunate, and concerning issue, in no way were any of the instances a malicious attempt by one party to gain access to another party's data.
"In all cases, users were unwittingly directed to an incorrect Huddle Workspace.
"Huddle prides itself on delivering the best service and support to its clients. We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologise to them unreservedly.
"We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated."
It is lucky for its userbase, which includes governments, financial institutions and universities, that the firm said such problems were not believed to be widespread.
But some experts said the discovery shows all software can have bugs – even the ones claiming to offer ultra-secure protections for user information.
"Clearly, as demonstrated by this situation, there is a lack of security," said Bill Evans, senior director at One Identity, a cybersecurity and authentication company.
"In Huddle's defence, it was forthcoming regarding the bug and it has been fixed. Moreover, it was clear that this bug was encountered incredibly infrequently," he added.
KPMG did not immediately respond to a request for comment from IBTimes UK.
This article has been updated with comment from Huddle.