After police raid on COVID-19 whistleblower, it’s revealed password was publicly posted on Florida Department of Health’s website

Same username and password was shared with all employees… and the entire internet.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

After police raid on COVID-19 whistleblower, it's revealed password was publicly posted on Florida Department of Health's website

On the latest “Smashing Security” podcast, special guest Anna Brading told us the story of Rebekah Jones – the architect of Florida’s COVID-19 dashboard, who was fired after refusing to follow requests to manipulate the data for political purposes.

Jones’s home was raided and searched by armed police earlier this week, after authorities claimed she was the person responsible for using a state emergency-responder system to send a message to some 1700 personnel.

Sign up to our free newsletter.
Security news, advice, and tips.

The message urged recipients to stand up to pressure from their bosses to hide the full picture of how the pandemic has impacted Florida residents:

“speak up before another 17,000 people are dead. You know this is wrong. You don’t have to be a part of this. Be a hero. Speak out before it’s too late.”

Jones has denied having anything to do with the message or the unauthorised access to the emergency system, and has shared a video of the raid on her home:

Now it has been revealed that not only were the same username and password shared by all state employees with access to the emergency alert messaging system, but also that those login credentials were actually posted on the website of Florida’s Department of Health.

Umm.. regardless of who might or might not have sent the message that started this whole furore, it doesn’t sound like the state of Florida was taking password security seriously.

Passwords should not be shared. Passwords should not be posted publicly on websites. Passwords should be changed when people leave your organisation. Passwords should be unique, impossible to guess, and difficult to crack.

You can hear more about the background on this case on the latest “Smashing Security” podcast:

Smashing Security #208: 'Hidden treasure, COVID tracker trauma, and happy holidays with IoT'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “After police raid on COVID-19 whistleblower, it’s revealed password was publicly posted on Florida Department of Health’s website”

  1. Ph Bly

    I note that the webmail portal is using HTTP ?
    http://webmail.myflorida.com

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.