Claiming the name Anonymous, those responsible for a weekend data breach at the European Space Agency (ESA) said the act was one of pure amusement (lulz) and not part of a larger scheme or protest.
The compromised records were discovered on the ESA subdomains targeted by Anonymous, including due.esrin.esa.int, exploration.esa.int, and sci.esa.int. Once the records were copied, they were posted to a public document server and shared among various people online.
The post exposing the breached data says the ESA attack was done for amusement only (lulz), and promoted the cyberguerrilla.org IRC server and the OpNewBlood / FreeAnons channels.
Along with database schemas and server stats, a second post by Anonymous also included 8,107 names, email addresses, and passwords. A third post exposed contact details for various ESA supporters and researchers.
The leaked data highlights a troubling problem with regard to passwords used on the compromised domains. Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. 'esa', '469', '136', etc.).
The second largest set of passwords - 1,314 (16%) – were eight characters long, and based on their construction would have been easily cracked by most rule sets and dictionaries. Passwords such as trustno1, rainbow6, password, 12345678, and those based on the person's name or email address would be the first to fall.
Those users with 20 character (and the one person with a 24 character) passwords clearly used a password management system to generate them, as did some of the others with 12 and 15 characters.
Based on the posted list, an unfortunate detail becomes rather clear; either the passwords were poorly secured and easily reversed, or they were stored in clear text inside the database. Both of those options are bad news, but worse if the data was stored in the clear. Even if the subdomains are not critical to the ESA, the data should have been protected better.
A brief breakdown of the passwords is below:
3,191 Passwords w/ 3 Characters
1,314 Passwords w/ 8 Characters
888 Passwords w/ 6 Characters
771 Passwords w/ 7 Characters
699 Passwords w/ 9 Characters
533 Passwords w/ 10 Characters
168 Passwords w/ 5 Characters
131 Passwords w/ 11 Characters
117 Passwords w/ 4 Characters
95 Passwords w/ 12 Characters
63 Passwords w/ 13 Characters
35 Passwords w/ 15 Characters
32 Passwords w/ 14 Characters
22 Passwords w/ 20 Characters
16 Passwords w/ 16 Characters
13 Passwords w/ 19 Characters
9 Passwords w/ 17 Characters
9 Passwords w/ 18 Characters
1 Password w/ 24 Characters