Twitter is actively removing email and password lists allegedly from the National Institute of Health and the World Health Organization, the BBC has learned.
They were initially sent to the 4chan group of messages, according to a report from an organization that controls right-wing extremism.
The BBC understands that some of the credentials stem from old hacking attacks.
Site Intelligence Group did not say who published them or whether they were authentic.
Subsequently, the list was also published on Pastebin, which is often used to reveal compromised information and Twitter.
In a tweet, Site director Rita Katz said the alleged list was used by far-right extremists as part of a “harassment campaign”.
He also provided details of the research, indicating that:
- 9,938 emails and passwords came from the National Institute of Health (NIH)
- 6,857 by the Centers for Disease Control and Prevention (CDC)
- 5,120 from the World Bank
- 2.732 World Health Organization (WHO)
- 269 by the Gates Foundation
- 21 from the Wuhan Institute of Virology
The NIH told the BBC that it was investigating the leak, but none of the other organizations responded to requests for comment.
The Gates Foundation told the Washington Post, which originally broke the news, who was investigating but had no evidence of a data breach.
Security researcher Robert Potter tweeted who believed that the leaked WHO credentials were authentic but “from a previous attack”.
“Health agencies are traditionally pretty bad for cyber security,” he wrote.
The BBC understands that the World Bank’s credentials probably stem from an old attack.
Some right-wing groups have questioned the science around the coronavirus pandemic and according to Graphika – a service that uses AI to study social media disinformation – have played a disproportionate role in spreading fake news about the virus.
WHO has called the amount of false and misleading information about Covid-19 “infodemic”.