A Black Hat volunteer mistakenly sent to 7,500 conference goers a password-reset email that was initially thought to be a phishing attempt.
Organizers of the security conference that started Saturday in Las Vegas, quickly released a statement making light of the error with a quote from Robert J. Hanlon: "Never attribute to malice that which is adequately explained by stupidity." Hanlon had submitted the quote for a 1980 compilation of various jokes related to Murphy's Law.
The volunteer, one of many at the conference, had triggered the mailing by changing the setting of a template system used in sending mass emails, said Wolfgang Kandek, chief technology officer for Qualys, who received one of the messages. "I thought it was some kind of test Black Hat was doing."
[ More from Black Hat with Bill Brenner in Salted Hash]
Black Hat General Manager Trey Ford issued a statement saying that a flaw in the system had made it possible for the volunteer to get the necessary privileges for sending mass emails.
"The email this morning was an abuse of functionality by a volunteer who has been spoken to," Ford said.
The email contained the subject line "your admin password" and the address of ITN International, the contractor used by Black Hat for on-site registration.
There were no reports of conference attendees clicking on the embedded link in the email to change their show passwords. Black Hat said there was no compromise of its database or attendee information.
Obvious signs the email was a mistake included not having the new credentials that would have been needed to change the original password. In addition, Black Hat participants, who are mostly security experts, probably noticed that the embedded link led to a site other than Black Hats. "Would we have clicked on anything like that? No, I don't think so," Kandek said on Monday.
Nevertheless, Black Hat attendees have played pranks on each other and occasionally on show organizers over the years. Ford made reference to the possibility of such mischief in his apology to people who received the email.
"We love to tease people that your systems need to be ready to hold their own if joining the Black Hat network," Ford said. "In this frame of mind, the community very correctly expected a prank or act of malice."
In the past, attendees at Black Hat and another security conference, Defcon, have hacked Las Vegas hotel TV billing systems and wireless computer networks to play tricks on fellow attendees. A "wall of sheep" has sometimes been created to display the names and partial passwords sniffed from unsecured computers on Wi-Fi networks.
Read more about data privacy in CSOonline's Data Privacy section.