As part of Project Mayhem, AntiSec hackers took down the official website of the California Law Enforcement Association (cslea.com). Currently, the website is still down and the attackers claim that other websites hosted on the same domain are also “wiped off the net.”
Besides defacing the website and posting their messages on its main page, the black hats also leaked the contents of some emails belonging to their staffers and billing information from their customers.
“Interestingly, CSLEA members have discussed some of our previous hacks against police targets, raising concern for the security of their own systems,” the hackers said.
The emails sent between employees show that at one point they suspected they were victim of a data breach, but it took some time for them to change the email passwords.
Until they did so, the hackers managed to obtain a lot of sensitive information, including the unencrypted content of some database tables that was sent via email.
Among one of the emails, the hacktivists also found a list of personal email addresses belonging to New York police chiefs.
“For our next owning we bring you multiple law enforcement targets in the state of New York, who has been on our crosshairs for some time due to their brutal repression of Occupy Wall Street,” they said.
It’s highly unfortunate how officials fail to react even after they clearly notice that they’re victims of a malicious operation. The leaked emails show how a computer and networks system technician describes the site’s security plan, mentioning all the protection measures that should make their assets almost impossible to obtain.
Even though in theory everything sounded “airtight,” in reality the hackers had access to the site for a long period of time, even after the organization took some basic steps to make sure the holes were patched up.
“In all fairness, they did make an effort to secure their systems after discovery of the breach. They changed a few admin passwords and deleted a few backdoors. Shut mail down for a few days,” the hacker wrote.
“But we still had shell on their servers, and were stealthily checking out the many other websites on the server, while also helping ourselves to thousands of police usernames and passwords.”