Anonymous claims US military email theft

News 12 Jul, 2011

The hacktivist group says it took over 90,000 emails from US military personnel.

Anonymous has claimed another significant strike on an official US body, posting over 90,000 email addresses purportedly of military personnel.

The hacktivist group said it had compromised a server of US Government contractor Booz Allen Hamilton.

“We infiltrated a server on their network that basically had no security measures in place,” Anonymous said in a preamble to its release on The Pirate Bay.

“We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes.”

The hacking crew said it had stolen 4GB of source code, which it subsequently deleted from the server.

“Additionally we found some related datas on different servers we got access to after finding credentials in the Booz Allen System. We added anything which could be interesting,” Anonymous added.

“And last but not least we found maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies. This material surely will keep our blackhat friends busy for a while.”

Senior security advisor at Sophos Canada, Chester Wisniewski, said one big problem for Booz Allen Hamilton was that it stored passwords for the email addresses using only an SHA hash - a cryptographic hash function used as a standard for federal information processing in the US.

“The passwords are not salted, which will likely lead to the majority of the passwords being exposed,” Wisniewski said in a blog post.

“While this should certainly be embarrassing to Booz Allen Hamilton, the real impact is on the US military. These 90,000+ individuals will need to reset their passwords, and ensure any systems that they shared these passwords with are changed.”

On its Twitter feed, Booz Allen Hamilton said: "As part of @BoozAllen security policy, we generally do not comment on specific threats or actions taken against our systems."

After a request for comment, the company did not offer any more than the above tweet.