Stratfor hackers publish email, password data

Boston Fri Dec 30, 2011 6:44pm EST

Boston (Reuters) - Hackers affiliated with the Anonymous group published hundreds of thousands of email addresses belonging to subscribers of private intelligence analysis firm Strategic Forecasting Inc along with thousands of customer credit card numbers.

The lists, which were published on the Internet late on Thursday, included information on people including former U.S. Vice President Dan Quayle, former Secretary of State Henry Kissinger and former CIA Director Jim Woolsey. They could not be reached for comment.

The lists included information on large numbers of people working for big corporations, the U.S. military and major defense contractors - which attackers could potentially use to target them with virus-tainted emails in an approach known as "spear phishing."

The Antisec faction of Anonymous disclosed last weekend that it had hacked into the firm, which is widely known as Stratfor and is dubbed a "shadow CIA" because it gathers non-classified intelligence on international crises.

The hackers had promised that the release of the stolen data would cause "mayhem." A spokesperson for the group said via Twitter that yet-to-be-published emails from the firm would show "Stratfor is not the 'harmless company' it tries to paint itself as."

Antisec has not disclosed when it will release those emails, but security analysts said they could contain information that could be embarrassing for the U.S. government.

"Those emails are going to be dynamite and may provide a lot of useful information to adversaries of the U.S. government," said Jeffrey Carr, chief executive of Taia Global Inc and author of the book "Inside Cyber Warfare: Mapping the Cyber Underworld."

Stratfor issued a statement on Friday confirming that the published email addresses had been stolen from the company's database, saying it was helping law enforcement probe the matter and conducting its own investigation.

"At Stratfor, we try to foster a culture of scrutiny and analysis, and we want to assure our customers and friends that we will apply the same rigorous standards in carrying out our internal review," the statement said.

"There are thousands of email addresses here that could be used for very targeted spear phishing attacks that could compromise national security," said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, a non-profit group that studies cyber threats.

NO THREAT SO FAR - PENTAGON

The Pentagon said it saw no threat so far.

"We are not aware of any compromise to the DOD information grid," said Lieutenant Colonel Jim Gregory, a spokesman for the Department of Defense.

In a posting on the data-sharing website pastebin.com, the hackers said the list included information from about 75,000 customers of Stratfor and about 860,000 people who had registered to use its site. It said that included some 50,000 email addresses belonging to the U.S. government's .gov and .mil domains.

The list also included addresses at contractors including BAE Systems Plc, Boeing Co, Lockheed Martin Corp and several U.S. government-funded labs that conduct classified research in Oak Ridge, Tennessee; Idaho Falls, Idaho; and Sandia and Los Alamos, New Mexico.

Corporations on the list included Bank of America, Exxon Mobil Corp, Goldman Sachs & Co and Thomson Reuters.

The entries included scrambled versions of passwords. Some of them can be unscrambled using databases known as rainbow tables that are available for download over the Internet, according to Bumgarner.

He said he randomly picked six people on the list affiliated with U.S. military and intelligence agencies to see if he could crack their passwords.

He said he was able to break four of them, each in about a second, using one rainbow table.

(Additional reporting by Tabassum Zakaria and Mark Hosenball in Washington; Editing by Vicki Allen and Peter Cooney)

FILED UNDER: