In all, 8,107 names, email addresses, and passwords were posted to the Web Claiming the name Anonymous, those responsible for a weekend data breach at the European Space Agency (ESA) said the act was one of pure amusement (lulz) and not part of a larger scheme or protest.The compromised records were discovered on the ESA subdomains targeted by Anonymous, including due.esrin.esa.int, exploration.esa.int, and sci.esa.int. Once the records were copied, they were posted to a public document server and shared among various people online.The post exposing the breached data says the ESA attack was done for amusement only (lulz), and promoted the cyberguerrilla.org IRC server and the OpNewBlood / FreeAnons channels.Along with database schemas and server stats, a second post by Anonymous also included 8,107 names, email addresses, and passwords. A third post exposed contact details for various ESA supporters and researchers. The leaked data highlights a troubling problem with regard to passwords used on the compromised domains. Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. ‘esa’, ‘469’, ‘136’, etc.).The second largest set of passwords – 1,314 (16%) – were eight characters long, and based on their construction would have been easily cracked by most rule sets and dictionaries. Passwords such as trustno1, rainbow6, password, 12345678, and those based on the person’s name or email address would be the first to fall. Those users with 20 character (and the one person with a 24 character) passwords clearly used a password management system to generate them, as did some of the others with 12 and 15 characters.Based on the posted list, an unfortunate detail becomes rather clear; either the passwords were poorly secured and easily reversed, or they were stored in clear text inside the database. Both of those options are bad news, but worse if the data was stored in the clear. Even if the subdomains are not critical to the ESA, the data should have been protected better.A brief breakdown of the passwords is below:3,191 Passwords w/ 3 Characters 1,314 Passwords w/ 8 Characters 888 Passwords w/ 6 Characters 771 Passwords w/ 7 Characters 699 Passwords w/ 9 Characters 533 Passwords w/ 10 Characters 168 Passwords w/ 5 Characters 131 Passwords w/ 11 Characters 117 Passwords w/ 4 Characters 95 Passwords w/ 12 Characters 63 Passwords w/ 13 Characters 35 Passwords w/ 15 Characters 32 Passwords w/ 14 Characters 22 Passwords w/ 20 Characters 16 Passwords w/ 16 Characters 13 Passwords w/ 19 Characters 9 Passwords w/ 17 Characters 9 Passwords w/ 18 Characters 1 Password w/ 24 Characters Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe