Stratfor Hack Damage Report: 50,000 Credit Cards, 44,000 Passwords
A few days after the private security think tank Stratfor disclosed that it had been the victim of a hacking attack, apparently carried out by the loosely affiliated group Anonymous, the extent of the damage is becoming clear.
Identity Finder, a New York-based identity theft protection firm, has analyzed the information breached and summarized what the attackers appear to have made off with.
- 50,277 unique credit card numbers, of which 9,651 are not expired
- 86,594 email addresses, of which 47,680 are unique
- 27,537 phone numbers, of which 25,680 are unique
- 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked
- 73.7 percent of decrypted passwords were weak
- 21.7 percent of decrypted passwords were medium strength
- 4.6 percent of decrypted passwords were strong
- Average decrypted password length: 7.1 characters
- 10 percent of decrypted passwords were less than 5 characters long
- Only 4.8 percent of decrypted passwords were 10+ characters long
- Presumably the remaining non-decrypted passwords were stronger than the decrypted subset
- 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world
There are also an additional 2.7 million email messages that the attackers claim to have taken, but that have not yet been released.
Stratfor has promised to inform the customers whose information was taken no later than Dec. 28, which is tomorrow. Anonymous, ever seeking to justify its actions in the name of some higher moral purpose, said in a tweet that Stratfor, which sells subscriptions to its intelligence analysis reports to government, law enforcement agencies and businesses, isn’t “the harmless company it tries to paint itself as,” and that the emails will show that.
Whatever. Wired reported that someone who participated in the attack said that a total of four servers were breached, and the data on them wiped. The question that then logically arises is this: What was a firm that’s ostensibly in the business of advising business and government clients on security doing about its own?