• United States



Senior Staff Writer

European Space Agency records leaked for amusement, attackers say

Dec 14, 20152 mins
Data BreachSecurityVulnerabilities

In all, 8,107 names, email addresses, and passwords were posted to the Web

Claiming the name Anonymous, those responsible for a weekend data breach at the European Space Agency (ESA) said the act was one of pure amusement (lulz) and not part of a larger scheme or protest.

The compromised records were discovered on the ESA subdomains targeted by Anonymous, including,, and Once the records were copied, they were posted to a public document server and shared among various people online.

The post exposing the breached data says the ESA attack was done for amusement only (lulz), and promoted the IRC server and the OpNewBlood / FreeAnons channels.

Along with database schemas and server stats, a second post by Anonymous also included 8,107 names, email addresses, and passwords. A third post exposed contact details for various ESA supporters and researchers.

The leaked data highlights a troubling problem with regard to passwords used on the compromised domains. Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. ‘esa’, ‘469’, ‘136’, etc.).

The second largest set of passwords – 1,314 (16%) – were eight characters long, and based on their construction would have been easily cracked by most rule sets and dictionaries. Passwords such as trustno1, rainbow6, password, 12345678, and those based on the person’s name or email address would be the first to fall.

Those users with 20 character (and the one person with a 24 character) passwords clearly used a password management system to generate them, as did some of the others with 12 and 15 characters.

Based on the posted list, an unfortunate detail becomes rather clear; either the passwords were poorly secured and easily reversed, or they were stored in clear text inside the database. Both of those options are bad news, but worse if the data was stored in the clear. Even if the subdomains are not critical to the ESA, the data should have been protected better.

A brief breakdown of the passwords is below:

3,191    Passwords w/ 3 Characters 1,314    Passwords w/ 8 Characters 888    Passwords w/ 6 Characters 771    Passwords w/ 7 Characters 699    Passwords w/ 9 Characters 533    Passwords w/ 10 Characters 168    Passwords w/ 5 Characters 131    Passwords w/ 11 Characters 117    Passwords w/ 4 Characters 95    Passwords w/ 12 Characters 63    Passwords w/ 13 Characters 35    Passwords w/ 15 Characters 32    Passwords w/ 14 Characters 22    Passwords w/ 20 Characters 16    Passwords w/ 16 Characters 13    Passwords w/ 19 Characters 9    Passwords w/ 17 Characters 9    Passwords w/ 18 Characters 1    Password w/ 24 Characters