Hackers Grab 90,000 Military Emails, Encrypted Passwords
An online break-in at a defense contractor left tens of thousands of .mil email users at risk of having their account illegally accessed or even hijacked for nefarious purposes.
A hacker collective that calls itself AntiSec said Monday that it had stolen 90,000 military email addresses and encrypted passwords from the servers of Booz Allen Hamilton, a consulting firm and Pentagon contractor.
“We infiltrated a server on their network that basically had no security measures in place,” the group said in a statement posted on a file-sharing website. “We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes.”
A later analysis by the Associated Press suggested the number of military email addresses was closer to 50,000. Whatever the number, the security risk is real, said a cybersecurity analyst.
Password decrypting tools called “rainbow tables” are available online, said Jerry Dixon, of the Chicago nonprofit cyber security firm Team Cymru. Simple passwords, like those composed of common words and all lowercase letters, might be vulnerable to cracking within minutes using the tables and common computer graphics processing hardware.
“My suspicion is that yes, someone has already gotten into some accounts,” he said. “Maybe they’re using them now to social engineer someone” – using a hijacked account to trick unsuspecting email users into divulging privileged information or granting access into other computer networks.
The solution to the email theft, Dixon said, is to require affected users to immediately change their passwords or face having their accounts locked. Booz Allen Hamilton and the Pentagon likely took that action as soon as the breach was known, he said.
“I’m sure they have already been working to get those passwords reset,” he said. “The passwords are stolen and now they’re racing the clock.”
Even if all accounts are locked down before any are broken into, the AntiSec group scores a malicious victory of sorts by forcing thousands of hours of work to clean up the mess, Dixon said.
The loose hacker confederation targets corporations and governments to protest what it calls over-aggressive Internet monitoring. Also called Operation AntiSec, it formed as an outgrowth of a now-defunct hacker group, LulzSec, with cooperation from members of the Anonymous group. Collectively, the groups have defaced government websites and broken into the networks of major corporations worldwide.
Booz Allen Hamilton did not respond to requests for comment, but via Twitter on Monday declined to offer details: “As part of @BoozAllen security policy, we generally do not comment on specific threats or actions taken against our systems.”