

860k Stratfor Accounts Dump - mrb
http://pastebin.com/f7jYf5Wd

======
dandelany

      It's time to dump the full 75,000 names, addresses, CCs and md5 
      hashed passwords to every customer that has ever paid Stratfor. 
      We almost have sympathy for those poor DHS employees and australian 
      billionaires who had their bank accounts looted by the lulz
    

Wow. Apologies for venting, but this is fucking ludicrous. I am a middle-class
mid-20s programmer who purchased a Stratfor subscription because their
material is incredibly well-researched and about a million times more
enlightening than your average CNN article. And now I have to cancel my credit
card and deal with fraud services. Thanks a ton, Anonymous.

Congratulations, you've exposed the personal details of the rich bankers and
military analysts that recognized Stratfor as the intelligent news service it
is. And in the process, you've managed to completely alienate the rest of the
Stratfor community, members of the "99%", who care enough about understanding
global politics that they were willing to give up a portion of their hard-
earned paychecks to become better-informed. Something tells me it won't be
worth it.

I just can't understand it. These guys are either agent provocateurs, or
complete morons.

~~~
robryan
I'd be blaming the company more than those releasing it. If these guys can how
are you to know if someone hasn't come across the db silently? At least this
way there is some warning.

~~~
dandelany
You're kidding, right? The people releasing it are presumably _the ones who
stole it in the first place._ In a bank robbery, do you blame the manufacturer
of the safe that was cracked? Or home invasions on the alarm system that
failed to catch the thieves? No, the _perpetrators of the crime_ are at fault.

Even if _I_ agreed with you on who was at fault here (which I clearly don't),
do you think any significant number of victims of this leak will honestly
blame Stratfor more than they blame the hackers behind the attack? If not, the
point I made above still stands: Anonymous has alienated anyone who has ever
paid for a Stratfor membership. Which is quite a diverse, and likely
intelligent, group of people.

~~~
joshAg
To continue using your metaphor of a real world safe:

I also blame the manufacturer of the safe because the safe was not as secure
as they claimed and because it's not like securing things correctly is an
unsolved problem or even just np-hard.

information can be stolen more than once, and if it can be stolen by these
people, then you can damn well bet that it can be stolen by people who might
not want to let you know that they took the information. how long has that
data been sitting there unsecured? how many times has that data been stolen
through unauthorized access? is it even reasonable to ask to be able to run a
pen test against anyone who wants my information, so that i can actually know
my data is secure?

~~~
sbraford
Let's try to find some common ground here:

First: If you use a Master Lock (heh or an old pen-hackable Kryptonite lock)
on your Bank Vault, obviously you are at fault. Doesn't matter what kind of
world you _want_ to live in, you need to secure your wares adequately.

Second: It's a dick move of these guys to release all this info. They are
hacktivists, or so they claim. (If they wanted to profit off this they'd sell
the hacked db to Russians and not release the data) People like MLK and Gandhi
also pissed off a lot of people. For example by sitting at white lunch
counters, getting spit on, etc. Sorry, that's the idea behind civil
disobedience / hacktivism / etc.

Third: this has been stated before, but how do you not know that this database
wasn't already cracked 2 years ago by malevolent forces who've been using it
for evil, but not telling you about it?

I think it's safe to say Statfor probably wasn't using a Master Lock, but
clearly they didn't do enough pen testing or whatever it would've taken for
them to more securely lock down their shit.

(Thought experiment: if a YC company got owned, do you think pg would blame
the thieves, for their smash & grab kind of job? Or the coders who left a
gaping security hole / social engineering attack vector open?)

~~~
joshAg
common ground found.

not sure what pg would say, but for me (if i were in his shoes) it would
depend entirely upon what/how the company was owned. there's a big difference
between, say, a hacker exploiting a hole in a well-vetted, well-known
encryption api and a hacker exploiting a hole an encryption api that you
rolled yourself.

------
tansey
Worth noting that these passwords are all MD5 encrypted but not salted. There
were also no creation rules enforced, as a quick check reveals:

Highest reused password count: 12023 "stratfor"? 12023 "password"? 517
"password1"? 46 "Password1"? 24 "123456"? 625 "12345678"? 74 "jesus"? 2
"love"? 7 "war"? 1 "michael"? 39 "america"? 7 "xbox360"? 0 "heroes"? 0

Those last 2 are popular for the battlefield heroes dataset and other gaming-
related ones, so I keep them in my script as gaming sites are both highly
targeted and usually poorly secured.

Anyway, it's clear that no rules were enforced as a 3-letter dictionary word
like "war" would never be allowed by any rule creation system. The fact that
"stratfor" was used by nearly 1.4% of all accounts (!) tells me that either
their users did not value these accounts or they simply have no idea how
passwords are supposed to work.

~~~
steve8918
How did you get a breakdown of all the passwords used? Did you try to crack
them yourself, or has the cracked passwords been posted? I'm trying to figure
out if my own password has been compromised.

~~~
MadGouki
All you need to do to figure out the hash for a password is take the MD5 hash
of it. My guess is the commenter you replied to just took some common
passwords and some no-brainers and did a quick little "find all" for each
hash.

Here's a tool you can use to generate MD5 hashes for given passwords:
<http://www.iwebtool.com/md5?string=stratfor>

Going from the hashes to the passwords requires brute forcing, dictionary
attacks, that sort of thing.

------
gst
When downloading the file from the .onion URL given in the link, the archive
contains a member "._stratfor_users.csv". Seems that this is some OS X
metafile that also includes a UUID of some sort.

Anyone more familiar with the format? Does the UUID allow to identify the user
that originally downloaded the CSV and/or posted the archive? (Assuming that
you have access to Apple's or Google's data).

~~~
dhx
AppleDouble format version 2. Home file system is "Mac OS X". There are 2
entries in the file.

Format specifications for this file are available:
<https://tools.ietf.org/html/rfc1740>

General information on the file format:
[https://en.wikipedia.org/wiki/AppleSingle_and_AppleDouble_fo...](https://en.wikipedia.org/wiki/AppleSingle_and_AppleDouble_formats)

------
Jayasimhan
naive question. Is it a violation of law to download these files? I dont want
to be in any kind of trouble for five minutes of excitement.

edit: I currently live in the US.

~~~
thesis
I guess it depends on where you live... but I'm not touching anything with
that much CC data in it.

Good luck.

~~~
redthrowaway
I'm not sure merely _downloading_ the data from a public source is a crime,
but I'm hiding behind academic research anyway.

~~~
stfu
How much cover does the "academic research" argument actually give? Any
experience with that?

~~~
redthrowaway
Not any first-hand, and I hope never to have to find out. Still, I suspect "I
am an RA working with a security researcher and we're studying password
strength" would go over better than "I'm curious", although they amount to the
same thing. The respect and deference we afford institutions can be a bit
strange, at times.

------
steve8918
About 10 years ago, American Express had a service where you could create one-
time credit card numbers for using it online. I loved it.

For whatever reason, a couple of years later, they got rid of the service.
It's times like these when a service like that would have been perfect.

~~~
politician
So, Citi provides a similar "Virtual Account Number" service which allows a
cardholder to create a new cc# with a new expiration date and a specific
balance, but the billing address cannot be customized which reduces the
usefulness of the service.

As far as I know, it's also free.

------
jonhendry
If Anonymous thinks they're making a strike against American militarism with
this, why didn't they hack some place that has more influence, like the
American Enterprise Institute, which is blatantly ideological and employed a
number of people who went on to the Rumsfeld Pentagon?

The people who support the Stratfor hack keep painting a picture of Stratfor
which would far more accurately depict the mendacious hacks at AEI.

~~~
im3w1l
They hack whatever sites their scripts work on.

------
CGamesPlay
Interestingly, <http://www.stratfor.com/> is "down for maintenance" at the
moment.

------
tomjen3
So what exactly has Stratfor done? I mean aside from posting their own
(informed) articles and running a business?

These people aren't protesting anything reasonable anymore -- they are flat
out against people who earn money. Personally I consider them traitors to
America.

~~~
dantheman
I'm a fan of Stratfor (I read it to get a handle on international news - they
provide a background/context to enable me to understand what's going on,
unlike traditional news), and I don't agree with this type of activity, but
calling someone a traitor is a serious allegation, especially when these
people are merely criminals and are not committing treason, which is what
traitors do. Given that I don't understand the point of posting account
details with password hashes, and CC#s - what are they trying to achieve?

~~~
gruseom
_I read it to get a handle on international news - they provide a
background/context to enable me to understand what's going on, unlike
traditional news_

That sounds like it might be worth looking at. Is there a publicly accessible
example you could provide a link to?

~~~
ovi256
Unfortunately, their site has been down since the penetration. Even if it
appears most of their content is not free, I signed up for their newsletter
and received links to some articles regularly.

I highly recommend "The Geopolitics of the United States" series. Very well
reasoned and clear explanation of the underpinning advantages of the US. It
all clicked together so nicely.

No idea where you could find it now though.

Maybe these black hats should have snatched a copy of the content instead of
these stupid mail spools.

~~~
gyardley
John Mauldin frequently links to / references / includes excerpts from
STRATFOR in his own newsletters. This is just an excerpt, but should give
anyone curious a sense of the quality:

<http://www.johnmauldin.com/images/uploads/pdf/mwo082511.pdf>

