Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Stratfor hacked by Anonymous – and my information gets stolen

Stratfor hacked by Anonymous – and my information gets stolen

  • Comments 4

Ah, it’s good to be back in the United States.

After a long holiday in New Zealand (more on that in a series of future posts), I’m almost ready to get back on the blogging trail.  And what better way to do it than to write about a breaking news topic?

If you’ve read my blog for any length of time, you know that I sometimes touch on foreign policy and how other countries and cultures are different than the United States.  The main reason that I like it is because I subscribe to Stratfor (short for Strategic Forecasting), which is kind of like a shadow-CIA. They provide analysis of global events on a daily basis and I like reading about them.  So, when I talk about China, or Japan, or Russia, or Stuxnet, it’s because I have been influenced by Stratfor.

Well, last night, I got an email from Stratfor founder George Friedman indicating that Stratfor had been breached.  I raised my eyebrows.  “Oh?” I said.  They said that they were suspending all email operations and that their list of corporate subscribers had been posted on other websites.  But a couple of hours later, I got another email that contained a bunch of nonsense text that looked like excerpts from a book, although mainly in note form.  “Well, that was weird,” I said.

Today, I got a follow up mail indicating the nature of the breach.  On December 24th, an unauthorized 3rd party hacked into Stratfor and stole personally identifiable information and credit card data.  “Um, what?” I said.  I did a bit more web searching.

As it turns out, the online activist group Anonymous hacked Stratfor and posted the information.  When I read that, I said “Oh… sh*t.”  They were able to access the data because it wasn’t encrypted (oh, that’s just awesome).  Furthermore, they posted the list of names online and used some of the credit card data to make purchases – actually charitable donations – using the information that they stole.

In other words, my information is at risk.  Probably disclosed. 

Double sh*t.

I went back to the Stratfor follow up email and read through it more closely.  They are working with an identity theft monitoring company but in the meantime, they gave the following advice:

- Contact my financial institution and notify them of this incident.
- If I see any unauthorized activity, notify my financial institution.
- Submit a complaint with the FTC.
- Monitor my credit using the three US reporting agencies (Equifax, Experian or Transunion).

You know, it’s weird.  I’ve seen a bunch of other hacks this year.  But I’m not a Sony subscriber, don’t use Citibank and was not really all that connected to the attacks; I only read and wrote about them.  But this one is personally real to me.  Very much so.

The Hacker News has a summary of the Stratfor hack, as well as some other information including a video they posted on their web site (I checked the link to the Pastebin site, none of my information is publically posted yet although Anonymous claimed in a tweet that they only posted the A’s, i.e., the first parts of the list in alphabetical order).

I’m not sure what Anonymous’s goal here is, but it could be that Stratfor provides global intelligence and security analysis and this hacker group proved that their data – including mine – is not very secure.  How secure could this security company be?

I don’t know what the lesson learned is here.  What am I supposed to do, not subscribe to websites because they probably don’t have my information encrypted?  Maybe I should only subscribe to websites that I know do encrypt my information (Microsoft does this for important data like credit cards).  I decided to cancel my credit card and get a new one.  I don’t like doing that because:

  1. I have to update all of my auto-billing and change the credit card information on all of them.

  2. I had the number memorized, I could type it in whenever I made online purchases.  Now I have to memorize a new one which takes forever.

Or maybe I should start a consulting business that goes around advising companies how to protect their users’ data.

That’s not such a bad idea.

Leave a Comment
  • Please add 6 and 7 and type the answer here:
  • Post
  • I find it disturbing after the list of stratfors private clients were released , some of the names on that list. Such involving China , Korea , and other foreign countries you would rather not be involved with or giving INTELLIGENCE too.

  • Got here from your tweet in the #stratfor feed. As a subscriber to Stratfor myself I was definitely concerned about the nature and scope of the attack, particularly if my CC info was compromised considering a paycheck-to-paycheck person such as myself would be pretty devastated if i started getting loads of unauthorized charges.

    That being said, you should check out Dazzlepod's (http://bit.ly/rCI0lf) page which will let you c-r your email address with the dumped list of compromised accounts to see if you're one of them.

    Secondly, Anonymous' self-appointed PR person is stating that the purpose of the breach was to secure email communications between Stratfor and private corporate and state clients in the hopes that in sifting through that data, they could further their campaign to "[investigate] this state-corporate alliance against the free information movement". (see: Pastebin) Whether or not the CC info was just too low-hanging a fruit to pass up during the breach or whether that was the goal all along doesn't really matter at this point. The notion that any money skimmed from compromised CC#s is going to go to charity is also kind of absurd when you consider the mechanisms the banking and credit card industry have in place to reverse fraudulent charges like this. In the end, the charity organizations that end up receiving cash are likely to end up losing money via fraudulent transaction fees levied against them by the banks or credit card companies. The potential blowback for that alone is pretty huge.

    I'm hoping Mr. Friedman and Co. get their ship righted and back to sailing soon though. I'm already jonesing from Peter Zeihan and Reva Bhalla withdrawal. Not pretty.

    @ Justin: As a subscriber to  Stratfor, I admittedly have fetish for geo-political news of all shades and was genuinely interested in what kinds of corporate and state agencies also patronize the company. When you understand that Stratfor is primarily an OPEN SOURCE (read: overt, publicly available) intelligence, analysis, and strategic forecasting agency, with a cadre of analysts that are widely perceived to give professional, unbiased analysis; it makes a lot of sense that individuals that represent a wide range of corporate or state agendas would be interested in what an agency like Stratfor would think. There is nothing shady or wrong with that.

  • Thanks, Anon.

  • I happen to know that even though Stratfor claims to be a security company they take absolutely no efforts to be secure. The head of security hired an accountant that stole a large sum of money from the company. The accountant turned out to be an illegal alien, no background check was made before hiring this person. It was the local police that brought this to Stratfor's attention. How safe is your money if they cannot keep their own money safe? How secure can they ever be if they cannot follow standard security measures. Look for a band-aide to be placed on this problem.

Page 1 of 1 (4 items)