- Oct 23, 2012
- 12,527
A US teen hacker has infiltrated and stolen personal information of US citizens from hundreds of US state government servers hosted on .us domains.
The hacker's name is Fear (@hackinyolife on Twitter), and this all seems to be an accidental hack, with the perpetrator stumbling onto a treasure trove he never expected to find.
"I gained access to an ftp server, that listed access to all the ftp’s on .us domains, and those .us domains were hosted along with .gov , so I was able to access everything they hosted, such as, public data, private data, source codes etc.," Fear told DataBreaches.net in an exclusive interview.
In a separate conversation with Softpedia, the hacker said that this first FTP server he breached belonged to the official .us registrar, which according to Wikipedia is Neustar. Fear confirmed via Twitter that he did hack Neustar.
Troves of sensitive data stored in cleartext
While everyone can register a .us domain, most of the times, .us domains are used to host local state government websites.
The hacker's name is Fear (@hackinyolife on Twitter), and this all seems to be an accidental hack, with the perpetrator stumbling onto a treasure trove he never expected to find.
"I gained access to an ftp server, that listed access to all the ftp’s on .us domains, and those .us domains were hosted along with .gov , so I was able to access everything they hosted, such as, public data, private data, source codes etc.," Fear told DataBreaches.net in an exclusive interview.
In a separate conversation with Softpedia, the hacker said that this first FTP server he breached belonged to the official .us registrar, which according to Wikipedia is Neustar. Fear confirmed via Twitter that he did hack Neustar.
Troves of sensitive data stored in cleartext
While everyone can register a .us domain, most of the times, .us domains are used to host local state government websites.
Fear claims he was able to download large amounts of data from these state websites. He also says that all the data he found was stored in cleartext, with no encryption.
The hacker says he was able to steal Social Security numbers, credit card numbers, postal and email addresses, phone numbers, web-banking transactions, US voter registration data, and more.
In specific cases, the hacker stole postal and email addresses and phone number of Minnesota school board candidates, banking transactions from the First Bank of Ohio, pharmacy prescription information from the state of Florida, voter registration for the state of Washington, and more.
Ironically, just last week, US-CERT had issued an alert to state agencies about the possibility of attacks meant to steal US voter registration information. The advisory came after two high-profile cyber-attacks on state election systems, from Arizona and Illinois, at the end of August.
Hacker says he'll dump the data online
The hacker also bragged about downloading 101,087,939 Social Security numbers from an unnamed state, and currently downloading another 400 million records from other sources.
All this constant downloading of personal information gave the hacker away, and after a few hours, he lost access to some servers. It is unknown who detected the intrusion at this point in time. Fear declined to say to which servers he had lost access to.
The hacker also said that many of these government FTP servers were improperly secured, with six of the 50 states using five-character-long passwords.
Fear says he plans to leak some of the data. "When I dump the data, well if I choose too, I will include credit cards , social security and address, phones , names," Fear told Softpedia in a Twitter conversation.
Softpedia has reached out to Neustart seeking comment on the incident. We will update the post if we receive an official statement.
SQL table holding data belonging to the First Bank of Ohio (via DataBreaches.net)
