Hacker group Lulzsec, known for recent attacks against the likes of the NHS, the US Senate and the CIA, has posted a list of 62,000 usernames and passwords in its latest action.
The incident has already resulted in fraudulent purchases from e-commerce sites such as Amazon.com, according to reports.
12,000 of the username and password combinations appear to have been stolen from Writerspace.com, a discussion group centred on mystery and romance novels, and the site is in the process of determining what happened and contacting affected users.
“Today an anonymous group of hackers known as LulzSec posted a list of 62,000 email addresses and passwords,” Writerspace.com said in a message posted on its website. “That list included about 12,000 e-mail addresses and passwords from Writerspace members… Today’s email list was posted by the same group that hacked the CIA website earlier in the week and the US Senate website last week.”
The incident has broader scope because many of the users used the same username and password for multiple websites, including e-commerce websites.
As one user posted to Lulzsec’s Twitter feed: “It’s quite sad seeing how quite a few folks have the same password for multiple accounts. Picked up a few Amazon, Paypal etc.”
Users posting to Lulzsec’s Twitter feed said they had used the passwords to take over user acconts on Twitter, Facebook, World of Warcraft and other services.
Lulzsec, which claims to carry out its attacks for entertainment purposes, posted the list on Thursday morning on Mediafire, a file hosting website. The link was removed by Mediafire, and Lulzsec reposted the file on Thursday afternoon.
“We’re just hitting 2,000 downloads now; assuming Mediafire will keep it up for another 30-60 minutes, get it while you can,” posted a Lulzsec user on the group’s Twitter feed on Thursday afternoon.
The addresses included accounts belonging to employees of large companies including IBM and state and national government agencies in the US and Australia.
Affected organisations included the US Army, Navy and Air Force; the US Federal Communications Commission; the US National Highway Traffic Safety Administration; the US Department of Veterans Affairs; the US Coast Guard; AusAID; the Victorian Department of Childhood and Early Education; and several local councils in New South Wales and Victoria.
Other recent Lulzsec targets include Nintendo and Sony.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
In light of the weeks denial of service attack on the websites belonging to the CIA and the US Senate, UK public sector organisations are reminded of the critical importance of guarding their online perimeter,” said Tom Turner, senior vice president of marketing and channels for Q1 Labs.
“With the European Union considering tougher penalties and responsibilities to protect against cyber attacks, government agencies need the ability to ensure compliance with IT security policies, establish new agency-wide benchmarks and generate continuous, real time reporting to protect themselves against an attack like we saw this week with the activities of LulzSec”
If LulzSec are "the Good guys" which given their irresponsable actions is doubtable. What are the REALLY BAD GUYS up too ?
Given Lulzsec hacked not just the perimeter but were able to extract pw's in such numbers beggers the questions:
HOW and WHY wernt they stopped ? Where were the GATEKEEPERS ? Were was the sql injection attack prevention (select * from ...) ?
Surely the perimeter defences wernt just dumb passwords ? and unchanged default ones at that.
I expect (nee demand) a proper duty of care of my login details from whoevers site expects/demands me to register to access it.
Proper system of security and defences need to be inplace to safegaurd the full systems not just the perimeter defences. If they were in place things like this would not be happening.
And wow people use the same passwords for multiple sites - i wonder why - could it be they cant remember the 200 or so they we are expected to keep ? i for one sure cant remember that many and as we all know you shouldn't write them down should you !! :)
Also in some ways some sites are guilty for forcing you to register with a user id and password (jafiptr) just to access them - when its not that its really needed to protect anything except the ego of the webmaster and a possible data feed to marketing dept (who will just spam you as a thank you).
Maybe its time we all moved on from the 1960's id & password as an authentication method.