European Space Agency records leaked for amusement, attackers say

In all, 8,107 names, email addresses, and passwords were posted to the Web

kill

Claiming the name Anonymous, those responsible for a weekend data breach at the European Space Agency (ESA) said the act was one of pure amusement (lulz) and not part of a larger scheme or protest.

The compromised records were discovered on the ESA subdomains targeted by Anonymous, including due.esrin.esa.int, exploration.esa.int, and sci.esa.int. Once the records were copied, they were posted to a public document server and shared among various people online.

The post exposing the breached data says the ESA attack was done for amusement only (lulz), and promoted the cyberguerrilla.org IRC server and the OpNewBlood / FreeAnons channels.

Along with database schemas and server stats, a second post by Anonymous also included 8,107 names, email addresses, and passwords. A third post exposed contact details for various ESA supporters and researchers.

The leaked data highlights a troubling problem with regard to passwords used on the compromised domains. Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. 'esa', '469', '136', etc.).

The second largest set of passwords - 1,314 (16%) – were eight characters long, and based on their construction would have been easily cracked by most rule sets and dictionaries. Passwords such as trustno1, rainbow6, password, 12345678, and those based on the person's name or email address would be the first to fall.

Those users with 20 character (and the one person with a 24 character) passwords clearly used a password management system to generate them, as did some of the others with 12 and 15 characters.

Based on the posted list, an unfortunate detail becomes rather clear; either the passwords were poorly secured and easily reversed, or they were stored in clear text inside the database. Both of those options are bad news, but worse if the data was stored in the clear. Even if the subdomains are not critical to the ESA, the data should have been protected better.

A brief breakdown of the passwords is below:

3,191    Passwords w/ 3 Characters
1,314    Passwords w/ 8 Characters
888    Passwords w/ 6 Characters
771    Passwords w/ 7 Characters
699    Passwords w/ 9 Characters
533    Passwords w/ 10 Characters
168    Passwords w/ 5 Characters
131    Passwords w/ 11 Characters
117    Passwords w/ 4 Characters
95    Passwords w/ 12 Characters
63    Passwords w/ 13 Characters
35    Passwords w/ 15 Characters
32    Passwords w/ 14 Characters
22    Passwords w/ 20 Characters
16    Passwords w/ 16 Characters
13    Passwords w/ 19 Characters
9    Passwords w/ 17 Characters
9    Passwords w/ 18 Characters
1    Password w/ 24 Characters

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.