Anonymous leaks 90,000+ military email addresses stolen from Booz Allen Hamilton

Filed Under: Data loss, Featured, Privacy

The latest attack in the infamous "#antisec" movement targeted Booz Allen Hamilton, a consulting firm who works with the US government. Anonymous claims to have infiltrated an unprotected server and were able to steal a significant amount of data.

#antisec banner

They claim to have released email addresses belonging to more than 90,000 US military personnel. While many folks downplay the significance of the attack and say "It's only email addresses", these particular email addresses may have more value than it would appear.

If we look back at the high-profile Gmail accounts that were hacked earlier this year, there clearly is demand for information about individuals related to the US defense that can be used to compromise their accounts and computers.

As Mila at Contagio blog wrote about the Gmail attack, the purpose isn't so much to gain access to the email account itself, but rather to use email as the vehicle through which they can infect the host computer with malware.

The bigger problem for Booz Allen Hamilton is that they stored passwords with these email addresses using only a SHA hash. The passwords are not salted, which will likely lead to the majority of the passwords being exposed.

Anon

In addition to the emails, Anonymous claims to have erased 4 gigabytes worth of source code and to have discovered information which could help them attack US government and other contractors systems.

While this should certainly be embarrassing to Booz Allen Hamilton, the real impact is on the US military. These 90,000+ individuals will need to reset their passwords, and ensure any systems that they shared these passwords with are changed.

While this isn't likely to do any good, could I please have the attention of those individuals responsible for collecting user names, passwords and personal information from people? Listening?

Could we please see these hacking attacks as a shot across the bow? Now is the time to secure your data... Encryption is NOT optional. For some helpful advice you may wish to check out our Data Security Toolkit.

, , , , ,

You might like

6 Responses to Anonymous leaks 90,000+ military email addresses stolen from Booz Allen Hamilton

  1. Edward · 1115 days ago

    Good article!I love your work, Wsniewski. I've been following Sophos since 5th grade.

  2. Herp · 1115 days ago

    First, there are a lot of dupes. Only about 55k unique .mil addresses.

    Second, these aren't passwords to those email accounts, unless they are re-used for said email accounts (which are typically logged onto via CAC).

    Third, meh. It's not about the emails - it's about BAH being clueless (care to guess how much money gets funneled their way to be 'secure'?)

  3. FrndAnna2003 · 1115 days ago

    You can be sure the Chinese and Russians are going to thoroughly go through all this information. These Anti-Sec attacks by Anonymous are all aimed towards Western democracies, and likely will compromise them in unforeseeable ways.

    A friend of mine who works at the a large US economic agency told me of how a colleague's email address book was tampered with during a government sponsored symposium in Beijing. In the end they suspected the Chinese government planted spyware and bugged their hotel room, a common complaint from many business groups. Getting the identification, not to mention passwords, of contacts is the aim for a lot of shady groups. In the end Anonymous will simply be seen as a helpful tool by groups like the Chinese government, criminal groups, etc.

  4. gaten · 1115 days ago

    I haven't checked the actual torrent myself, but the Anonymous "press release" states that the files were hashed with MD5: "Most shiny is probably a list of
    roughly 90,000 military emails and password hashes (md5, non-salted of course!).", not a SHA hash as your article states.

  5. dazzlepod · 1115 days ago

    For military personnel to check if your account was leaked,&nbsp ;http://dazzlepod.com/boozallen/

  6. Covey44 · 1114 days ago

    FALSE FLAG - FALSE FLAG - FALSE FLAG ! The government is at it again - ATTACK ITSELF - make it look like hackers - easily pass legislation to restrict the internet to make it more 'SECURE'

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.