U.S. Military Contractor Hacked and Email Addresses Exposed

Hackers affiliated with the Anonymous collective and its Antisec campaign have hacked into computer systems belonging to U.S. military contractor Booz Allen Hamilton and leaked sensitive data found inside.

The hackers described the attack in the description of a torrent posted on ThePirateBay which also contains a list of 90,000 email addresses belonging to military personnel together with crackable password hashes.

"We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty," the hackers write.

In addition to the email addresses, the attackers also included an sql dump of the database and additional data found on other internal servers they were able to access.

Four gigabytes of source code were allegedly copied from the company's svn server and its contents were wiped clean afterwards. The code is not included in the torrent.

Booz Allen Hamilton declined to comment. "As part of @BoozAllen security policy, we generally do not comment on specific threats or actions taken against our systems," the company wrote on Twitter.

The hackers claim that the compromise provided them with the access keys for other government related targets which they plan to hit in the future.

The security breach and data leak raise serious concerns because of the nature of the information involved. First of all, it's not probably average soldiers who have accounts with Booz Allen Hamilton, but ranking officers, particularly those dealing with intelligence.

The fact that hashes were generated with the SHA1 algorithm and are not salted makes them susceptible to brute force cracking attempts, especially if the original passwords were not strong to begin with.

But even if the access codes don't get cracked or if they weren't used anywhere else except Booz Allen Hamilton, there is still the risk of targeted email attacks, like the ones reported by Google in June.

Update July 13, 2011: The leaked email address database was made searchable by Dazzlepod so that military personnel can easily determine if they were affected by the leak.