14 DAY TRIAL // Anonymous has kept its promise and attacked the Bay Area Rapid Transit (BART) service by hacking into one of its websites and leaking the personal information of over 2,400 passengers.
The information released on Sunday includes full names, phone numbers, street and email addresses, zip codes, and plaintext passwords.
According to Anonymous, the data was extracted from the myBART.gov database by exploiting an SQL injection vulnerability.
"They set up this website called mybart.gov and they stored their members information with virtually no security. The data was stored and easily obtainable via basic sqli," the hacktivists write.
"Any 8 year old with a internet connection could have done what we did to find it. On top of that none of the info, including the passwords, was encrypted," they add.
The group claims that it leaked innocent people's information in order to show that BART doesn't care about passengers.
"We apologize to any citizen that has his information published, but you should go to BART and ask them why your information wasn't secure with them," the group writes.
BART issued a statement about the incident on Sunday announcing that the myBART.gov website was taken offline pending an investigation. It also advised customers to be wary of scams and place a fraud alert on their credit files.
Even though this information is available on the agency's website, one of the affected individuals told The Register that, as of Monday, he hasn't received any notification from BART privately.
Anonymous launched Operation BART last Friday after the transit authorities took the unusual step of suspending cellphone service in seven stations to thwart a rumored protest.
The hacktivist group called for its supporters to flood BART's channels of communications, including email, faxes, telephones and websites. They also warn that the hacking of myBART.gov is only the beginning.