An analysis of the data leaked by hackers after an attack on US-based security intelligence firm Strategic Forecasting (StratFor) has verified that the credit card details of more than 50,000 users are in the wild, with the hackers threatening to release roughly the same number again in the coming days.
The hackers, operating as a loosely-arranged group under the ‘AntiSec’ movement, have posted customer accounts for about half of past and present StratFor clients (those names from ‘A’ to ‘M’), which includes the agencies of the US Government and its allies plus thousands of multinational corporations. The hackers have threatened to release the ‘N’ to ‘Z’ list shortly.
The hackers also claim to be in possession of a trove of emails and IT support tickets detailing communication between StratFor and its customers.
Analysis of the existing trove of exposed data by InfoSec firm Identity Finder discovered 50,277 unique credit card numbers. Only 9,651 of these were currently active, which speaks to claims by StratFor chief executive George Friedman that the list featured names of casual subscribers to the think tank’s publications rather than its current consulting base.
But Identify Finder privacy officer Aaron Titus said that many card numbers are re-issued, and many credit card processing engines do not ask for expiration dates.
The dump also included 86,594 Email addresses (47,680 were unique), 27,537 Phone Numbers (of which 25,680 are unique), and 44,188 Encrypted Passwords.
Titus’ analysis concluded that 50 percent of these encrypted passwords could easily be cracked. Upon decryption, Identity Finder found the security policies of these firms to be woefully lacking – some 73.7 percent were weak passwords, 21.7 percent media and only 4.6 percent strong.
Titus noted that many impacted customers would have to change their passwords across a multitude of online services.
"The threat of password re-use is significant,” he said. “Passwords are a digital identity and password reuse is a serious problem that could lead toward identity fraud. The victims will have no way to know when an identity thief is reusing their email and password combination to attempt to log into their online bank, an online retailer where they have saved their credit card for future purchases, or other online accounts such as e-mail."
Robin Hood hacking?
The hackers claim to have used some of the credit card details to donate money to charitable causes on behalf of StratFor customers.
One set of screenshots posted on Pastebin revealed the hackers had used the credit card details of staff from the Department of Homeland Security to donate money to the American Red Cross and used the details of staff from the US Department of Defence and Defence Intelligence Agency to donate to CARE.