Looks like Anonymous/#AntiSec massively hacked Stratfor, while mocking statements the firm had made. The hackers also dumped what may be their corporate subscribers list. In a tweet earlier today, @anonymousSabu wrote:
stratfor.com “global intelligence” company owned and rm’d. Go to it now. See the defacement. Over 90k CCs from LEAs leaked. OUCH
I have not yet learned whether or where the hacked credit card numbers may have been dumped (they do not seem to have been at the time of this posting), but in a lengthy post on the defaced home page of Stratfor, the hackers did post the full credit card number with CVV of Frank Gignac, Stratfor’s CTO.
Less than an hour after the hack was announced on Twitter, the site was unavailable. In a statement sent to members and posted on the site later, CEO George Friedman wrote:
Dear Stratfor Member,
We have learned that Stratfor’s web site was hacked by an unauthorized party. As a result of this incident the operation of Stratfor’s servers and email have been suspended.
We have reason to believe that the names of our corporate subscribers have been posted on other web sites. We are diligently investigating the extent to which subscriber information may have been obtained.
Stratfor and I take this incident very seriously. Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me. We are working closely with law enforcement in their investigation and will assist them with the identification of the individual(s) who are responsible.
Although we are still learning more and the law enforcement investigation is active and ongoing, we wanted to provide you with notice of this incident as quickly as possible. We will keep you updated regarding these matters.
Sincerely,
George Friedman
The hackers claim to have used stolen credit card numbers to make $1 million donation to charities. They also claim to have downloaded 200GB of e-mails.
Update 1: Neither the credit card numbers nor the e-mail archive appear to be on the web as of Sunday morning.
Update 2: Don’t know if this tweet was in response to one of my own seeking confirmation, but @YourAnonNews just tweeted confirmation that the credit card data were stored clear-text. Ouch!
Update 3: And so it begins – the release of credit card numbers, MD5-hashed passwords, and home addresses:
Looking at the data dump, the listing includes phone numbers and credit card expiration dates, too. Some of the numbers are expired.
Anonymous also revealed some images of donations made using subscribers’ credit card numbers. It appears from one of the images that this has been going on for over one week.
Update 4: Someone claiming to be Anonymous has posted an “Emergency Christmas Anonymous Press Release” that says, in part:
Stratfor has been purposefully misrepresented by these so-called Anons and portrayed in false light as a company which engages in activity similar to HBGary. Sabu and his crew are nothing more than opportunistic attention whores who are possibly agent provocateurs. As a media source, Stratfor’s work is protected by the freedom of press, a principle which Anonymous values greatly.
This hack is most definitely not the work of Anonymous.
Whether you believe it is a genuine missive from Anonymous or a disinformation campaign is up to you. 🙂
Update 5: Stratfor sent an updated message to its subscribers.
Update 6: My skepticism about the “press release” denying Anonymous’s involvement in Stratfor hack continued to grow although a lot of media sources seem to just credit it uncritically. In a press release this morning from #AntiSec, there’s this note about the release:
SPECIAL NOTICE: We are aware that there has been some confusion as to whether the STRATFOR hack is an “official” Anonymous operation, due to a ridiculous “Emergency Anonymous Press Statement” being circulated, undermining our work while also making baseless accusations that we frequently see perpetrated by agent provocateurs. Whether this is the work of malicious counter-intelligence,, some butthurt pacifists, or stratfor employees themselves is unknown. Unfortunately, some main stream news agencies have picked up on this statement, looking for any reason to highlight and exploit any potential “inner divisions” within Anonymous. However, there has been no such squabble or infighting regarding the STRATFOR target, or any other LulzXmas target for that matter. Anyone can claim to be Anonymous, but because of the inherent decentralized nature of Anonymous, without central top-down leadership, no individual is in a place to speak to the legitimacy of another individual or group’s operation. Furthermore, our history of owning high profile targets as Anonymous has been well documented at the #antisec embassy (http://ibhg35kgdvnb7jvw.onion/) and is well known and respected within all Anon communities. Case closed.
Update 7: As I hinted in Update 4, the “press release” was not written by a member of Anonymous:
Actually, this may have been happening over the last few weeks and not just this week. I got a call from my credit card company here in Asia to advise that the card had been compromised 2 weeks ago, this is the only incident that relates to details leaking.
Yep, that’s why I said “for over one week.” Which leaves me even less impressed with Stratfor. Not only did they not encrypt the data (if the hackers are reporting accurately), but they failed to detect the intrusion – or repeated intrusions? If I had given them my credit card number, I’d be pretty upset with them right about now.
As a non-professional subscriber to Stratfor I can say to Anonymous: suck my ass. If we ever cross paths you will have no quarter. You people a leeching ass-suckers and will pay the price.
Too funny…. A global security company hashing passwords with MD5 and and storing secrets (such as credit card numbers) in the plain text. The CIO and CSO should be fired. The shareholders should bring suit against the company due to the incompetence of the board members, and make the firm that performed the PCI/DSS audit a codefender.
Jeffrey Walton
Baltimore, MD, US
Are you assuming that there was a PCI-DSS audit or have you seen some statement that claims they actually ever had one?