90000 Military Passwords Stolen from Booz Allen Hamilton

Date: 2011-07-12 07:06:36

On Monday, July 11, 2011 the hacker group Antisec announced they had infiltrated Booz Allen Hamilton and stolen over 90,000 email addresses and passwords.

In their announcement, they said: “We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!).”

Their comment about non-salted md5 hashes, means these passwords will be decrypted and viewable very quickly. A non-salted md5 hash is just one step above plain text password storage. Not what one would expect of such a company. To learn more abount hashes and salting see Healthy Passwords Explains hashes and salting.

If you or someone you know may have been affected, they can start by changing all email passwords. Once those are secure they need to start with highest risk sites and move down the list by priority. See Password Strategies for more ideas on securing your passwords.

2011-07-12 Update

According to Daniel Grzelak, founder of ShouldIChangeMyPassword.com, "Looks like Booz Allen Hamilton kept password histories so not only do users need to change their passwords, they need to be something new".

Many people cycle through passwords adding unique numbers or letters to slightly change it every month. People who use this strategy may need to re-architect their base password to prevent compromise.

ShouldIChangeMyPassword.com just posted 69,691 records. See our article for instructions

Category: Breach

Subcategory: Passwords