Anonymous Exposes 90,000 Military Passwords in Booz Allen Hamilton Hack
Modernizing Authentication — What It Takes to Transform Secure Access
The hacking collective Anonymous released documents it claims were stolen from government contractor Booz Allen Hamilton as part of its anti-government AntiSec campaign.
The documents Anonymous released July 11 on The Pirate Bay contained personal and official email addresses and passwords of an estimated 90,000 United States military employees. Anonymous announced the massive data dump on its Twitter feed as part of "Military Meltdown Monday."
The approximately 190MB data torrent included log-in information of personnel from US CENTCOM, SOCOM, the Marine Corps, Air Force facilities, Department of Homeland Security, Department of State and other private-sector contractors. The passwords were unsalted SHA1 hashes stored as a text string, making them vulnerable to being cracked using brute-force methods, Alex Rothacker, director of security research for Application Security's TeamSHATTER, told eWEEK.
"It's slightly better than MD5, but still considered easily crackable with the tools available today," Rothacker said.
The group also claimed to have uncovered maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies. Anonymous also stole 4GB of source code from its Subversion code repository and erased it from the servers.
Despite working with the federal government on "defense and homeland security matters," Booz Allen Hamilton was more like a "puny wooden barge" and not a "state-of-the-art battleship" when it came to network security, Anonymous said in its statement posted on Pirate Bay.
The server it compromised "had no security measures in place," allowing the attackers to run its own application on the box and dump the SQL database. During the four-hour-long intrusion, Anonymous gained access to other unspecified servers uncovering credentials.
"As part of @BoozAllen security policy, we generally do not comment on specific threats or actions taken against our systems," the consulting giant posted on Twitter.