The hacker’s name is Fear (@hackinyolife on Twitter), and this all seems to be an accidental hack, with the perpetrator stumbling upon a treasure trove he never expected to find.
“I gained access to an ftp server, that listed access to all the ftp’s on .us domains, and those .us domains were hosted along with .gov , so I was able to access everything they hosted, such as, public data, private data, source codes etc.,” Fear told DataBreaches.net in an exclusive interview.
In a separate conversation with Softpedia, the hacker said this first FTP server he breached belonged to the official .us registrar which, according to Wikipedia, is Neustar. Fear confirmed via Twitter that he did hack Neustar.
Troves of sensitive data stored in cleartext
While everyone can register a .us domain, most of the times, these domains are used to host local state government websites.
Fear claims he was able to download large amounts of data from these state websites. He also says that all the data he found was stored in cleartext, with no encryption.
The hacker also affirms he was able to steal Social Security numbers, credit card numbers, postal and email addresses, phone numbers, web-banking transactions, US voter registration data, and more.
In specific cases, the hacker stole postal and email addresses and phone numbers of Minnesota school board candidates, banking transactions from the First Bank of Ohio, pharmacy prescription information from the state of Florida, voter registration for the state of Washington, and more.
Ironically, just last week, US-CERT had issued an alert to state agencies about the possibility of attacks meant to steal US voter registration information. The advisory came after two high-profile cyber-attacks on state election systems, from Arizona and Illinois, at the end of August.
Hacker says he’ll dump the data online
The hacker also bragged about downloading 101,087,939 Social Security numbers from an unnamed state, and currently downloading another 400 million records from other sources.
All this constant downloading of personal information gave the hacker away, and after a few hours, he lost access to some servers. For the time being, it is unknown who detected the intrusion. Fear declined to mention which servers he had lost access to.
The hacker also said that many of these government FTP servers were improperly secured, with six of the 50 states using five-character-long passwords.
Fear has stated he plans to leak some of the data. “When I dump the data, well if I choose too, I will include credit cards , social security and address, phones , names,” Fear told Softpedia in a Twitter conversation.
Softpedia has reached out to Neustart seeking comment on the incident. We will update the post if we receive an official statement.