Hacker Exposes US Government Staff Log-ins

A single hacker has successfully penetrated an events management company and obtained sensitive information belonging to 20,000 individuals, many of whom were United States government contractors or employees.

The cyber-attacker posted an Excel spreadsheet containing log-in credentials and personal information for 20,000 people obtained from allianceforbiz.com, according to a blog post signed by “Thehacker12” on 22 August.

Allianceforbiz.com is a professional trade show management company that manages conferences, meetings and trade shows for customers, according to the company website.

Passwords Exposed

The list has been made public on Pastebin and Mediafire and a message posted on Twitter: “20,000 email-passwords had been leaked consisting mostly of US Mill Army, Govern. & corporate giants.”

The spreadsheet contains usernames, passwords, email addresses. company name, and also whether the individual works for a government agency, Catalin Cosoi, head of Bitdefender Online Threats Lab, told eWEEK. Identity Finder, a data loss prevention software vendor, ran the file through its software and found 13,322 passwords and 17,590 email addresses in the file. Only 11,358 of the passwords had a username associated with them, Todd Feinman, CEO of Identity Finder, told eWEEK.

The file also contained 17,668 company names, of which 14,739 were unique, and most had only one email address associated with each name, according to the analysis. This means more than 14,000 organisations may be affected by Thehacker12’s breach of allianceforbiz.com.

Since allianceforbiz.com managed events for customers, it is likely that the list contained the person in each organisation who was working directly with the provider. However, there were some organisations with 10 or more email addresses associated with the name, Identity Finder found in its analysis.

“Interesting to note most of these are government entities,” Feinman said.

The US Small Business Administration had 70 entries, followed by 42 from the US General Services Administration, 37 from the US Department of Commerce, 34 from the US General Services Administration and 33 from the US Department of State.

Other affected organisations include the Federal Aviation Administration, US Army Corps of Engineers, national non-profit agency NISH, US Department of Housing & Urban Development, US Environmental Protection Agency and the VA Medical Center. Defence and government contractors Honeywell, BAE Systems, WP Hickman Systems and CH2m Hill were also on the list.

Password Security

Considering the high incidence of password reuse by Internet users, it is possible that the information could lead to identity fraud, said Identity Finder’s Feinman. “Passwords are a digital identity,” and the victims will not know if an identity thief is testing out username or email address and password combinations to try to login to the online bank, online retailers or other services, Feinman said.

Bitdefender’s Cosoi noted that most of the email addresses on the list are work accounts, which means a malicious third party now has login credentials that may work when trying to breach one of the affected organisations’ network and systems or the corporate email server. This level of access can “lead to blackmail, extortion or selling private data to third parties” or targeted emails sent to other employees within the organization from the victims’ accounts, he said.

Noting the “significant number of government agencies” in the leaked file, “we can conclude that this data leak will have serious unpleasant consequences,” Cosoi said.

The perpetrator claims to be “an AntiSec supporter” but not a member of the hackers collective Anonymous. AntiSec is a movement initially launched by the cyber-group LulzSec earlier this summer to hack into government systems and expose secrets and documents. Anonymous has recently breached a number of defence contractor and law enforcement websites under the AntiSec banner.

“His or her deeds actually support the same side of the story, which is hacking for the sake of publicly making an anti-establishment point,” said Cosoi. Both the media and law enforcement authorities are focused on Anonymous and LulzSec, leaving the “door open to other small groups to make a stand and show their skills” and continue the AntiSec activities without drawing too much attention, Cosoi said.

Thehacker12 has been busy over the past week, mining and dumping three other files containing a total of 16,500 other email and password combinations stolen from unknown targets. His method of attack remains unclear.