The lists, which were published on the Internet late on Thursday, included information on people including former US Vice President Dan Quayle, former Secretary of State Henry Kissinger and former CIA Director Jim Woolsey. They could not be reached for comment.
The lists included information on large numbers of people working for big corporations, the US military and major defense contractors — which attackers could potentially use to target them with virus-tainted e-mails in an approach known as “spear phishing.”
The Antisec faction of Anonymous disclosed last weekend that it had hacked into the firm, which is widely known as Stratfor and is dubbed a “shadow CIA” because it gathers non-classified intelligence on international crises. The hackers had promised that the release of the stolen data would cause “mayhem.”
A spokesperson for the group said via Twitter that yet-to-be-published e-mails from the firm would show “Stratfor is not the ‘harmless company’ it tries to paint itself as.”
Antisec has not disclosed when it will release those e-mails, but security analysts said they could contain information that could be embarrassing for the US government.
Stratfor issued a statement on Friday confirming that the published e-mail addresses had been stolen from the company’s database, saying it was helping law enforcement probe the matter and conducting its own investigation.
“There are thousands of e-mail addresses here that could be used for very targeted spear phishing attacks that could compromise national security,” said John Bumgarner, chief technology officer of the US Cyber Consequences Unit, a non-profit group that studies cyber threats.
The Pentagon said it saw no threat so far.
“We are not aware of any compromise to the DOD information grid,” said Lt. Col. Jim Gregory, a spokesman for the Department of Defense.
In a posting on the data-sharing website pastebin.com, the hackers said the list included information from about 75,000 customers of Stratfor and about 860,000 people who had registered to use its site. It said that included some 50,000 e-mail addresses belonging to the US government’s .gov and .mil domains. The list also included addresses at contractors including BAE Systems Plc, Boeing Co, Lockheed Martin Corp. and several US government-funded labs.
The entries included scrambled versions of passwords. Some of them can be unscrambled using databases known as rainbow tables that are available for download over the Internet, according to Bumgarner.
He said he randomly picked six people on the list affiliated with US military and intelligence agencies to see if he could crack their passwords.
He said he was able to break four of them, each in about a second, using one rainbow table.
