Hackers release credit card, other data from Stratfor breach

Latest data dump purportedly includes 860,000 e-mail addresses and 75,000 unencrypted credit card numbers.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
The hackers released e-mail addresses, credit card numbers and other data from people who had signed up or paid for geopolitical intelligence briefings from Stratfor.
The hackers released e-mail addresses, credit card numbers and other data from people who had signed up or paid for geopolitical intelligence briefings from Stratfor.

Hackers released more data obtained from a breach of Stratfor, including e-mail addresses and credit card numbers, the geopolitical intelligence firm confirmed to CNET today.

In a post on Pastebin by someone using the "AntiSec" moniker, there are links to downloads of data on different sites, some of which were removed by midday today. The data dump follows the release of a list of Stratfor (Strategic Forecasting) clients on December 25 and a warning from hackers that they had more sensitive data to release, including unencrypted credit card data.

"It's time to dump the full 75,000 names, addresses, CCs and md5 hashed passwords to every customer that has ever paid Stratfor. But that's not all: we're also dumping ~860,000 usernames, email addresses, and md5 hashed passwords for everyone who's ever registered on Stratfor's site," the post says, adding that 50,000 of the e-mail addresses end in .mil or .gov domains.

"We almost have sympathy for those poor DHS employees and australian billionaires who had their bank accounts looted by the lulz ... But what did you expect?" the post says. "All our lives we have been robbed blindly and brutalized by corrupted politicians, establishmentarians and government agencies sex shops, and now it's time to take it back."

The post then goes on to warn that hackers will attack "multiple law enforcement targets from coast to coast" on New Year's Eve and that there will be "noise demonstrations" outside of jails and prisons around the world in solidarity with the prisoners.

"Stratfor regrets the latest disclosure of information obtained illegally from the company's data systems," the company said in a statement. "We want to assure our customers and friendsthis was not a new cyberattack, but was instead a release of information obtained during the previous security breach. The latest disclosure included credit card information of paid subscribers and many e-mail addresses of those who receive Stratfor's free services."

Asked to comment on the timing of the breach and why the company was not using encryption, Stratfor provided this statement: "We don't have any information on that at the moment. But I want to assure you Stratfor is working with law enforcement to investigate the cyberattacks and will release results soon. In the meantime, we will be providing periodic updates on our response to the attacks."

Meanwhile,the company is offering to pay for a one-year subscription to identity protection services for anyone affected by the breach. The corporate Web site will not be back up for another week or so, Stratfor CEO George Friedman wrote in a post on the company's Facebook page that was also sent to subscribers via e-mail.

"To say we wish this hadn't happened is a massive understatement," he wrote. "As I have stated in prior emails to you, I sincerely apologize for these unfortunate events. Our investigation and coordination with law enforcement is ongoing, and we will continue to update you as more details become available."

On Thursday, the hackers said they had breached the Web site of SpecialForces.com and claimed to have 14,000 passwords and data on 8,000 credit cards, although the data was encrypted. The hackers also claim to have copies of as many as 2.7 million Stratfor e-mails that they plan to release.

AntiSec, which is a coalition of members of the de-centralized Anonymous group of hactivists and the more mischievous LulzSec offshoot, claimed credit for attacks earlier this year on police, sheriffs and other law enforcement agencies in the U.S. and Italy, defense and government contractors including Booz Allen Hamilton and HBGary Federal, and government agencies in Chile, Zimbabwe, and Brazil.

Stratfor may have hit the hackers' radar when it warned members of Anonymous in November not to wage war on the Zetas drug cartel in retaliation for the alleged kidnapping of an Anonymous member. "As Mexican cartels have targeted online journalists and bloggers in the past, hackers could well be targeted for reprisal attacks," Stratfor wrote in a report on OpCartel.