Anonymous has claimed another significant strike on an official US body, posting over 90,000 email addresses purportedly of military personnel.
The hacktivist group said it had compromised a server of US Government contractor Booz Allen Hamilton.
"We infiltrated a server on their network that basically had no security measures in place," Anonymous said in a preamble to its release on The Pirate Bay.
"We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes."
The hacking crew said it had stolen 4GB of source code, which it subsequently deleted from the server.
"Additionally we found some related datas on different servers we got access to after finding credentials in the Booz Allen System. We added anything which could be interesting," Anonymous added.
"And last but not least we found maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies. This material surely will keep our blackhat friends busy for a while."
Senior security advisor at Sophos Canada, Chester Wisniewski, said one big problem for Booz Allen Hamilton was that it stored passwords for the email addresses using only an SHA hash - a cryptographic hash function used as a standard for federal information processing in the US.
"The passwords are not salted, which will likely lead to the majority of the passwords being exposed," Wisniewski said in a blog post.
"While this should certainly be embarrassing to Booz Allen Hamilton, the real impact is on the US military. These 90,000+ individuals will need to reset their passwords, and ensure any systems that they shared these passwords with are changed."
On its Twitter feed, Booz Allen Hamilton said: "As part of @BoozAllen security policy, we generally do not comment on specific threats or actions taken against our systems."
After a request for comment, the company did not offer any more than the above tweet.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
UK cyber experts on red alert after Salt Typhoon attacks on US telcosAnalysis The UK could be next in a spate of state-sponsored attacks on telecoms infrastructure
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standardsNews Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
-
The US could be set to ban TP-Link routersNews US authorities could be lining up the largest equipment proscription since the 2019 ban on Huawei networking infrastructure
-
US government IT contractor could face death penalty over espionage chargesNews The IT pro faces two espionage charges, each of which could lead to a death sentence or life imprisonment, prosecutors said
-
US identifies and places $10 million bounty on LockBit, Hive ransomware kingpinNews Mikhail Pavlovich Matveev was linked to specific ransomware attacks, including a 2021 raid on the DC police department
-
Breach at US Transportation Department exposes 240,000 employee recordsNews An investigation is underway into the breach, which affected former and current employee data
-
IRS mistakenly publishes 112,000 taxpayer records for the second timeNews A contractor is thought to be responsible for the error, with the agency reportedly reviewing its relationship with Accenture
-
US begins seizure of 48 DDoS-for-hire services following global investigationNews Six people have been arrested who allegedly oversaw computer attacks launched using booters
