The Hacker Calls Himself “FEAR”
In a recent contact made with the hacker it was exposed that the data breach did not only provide access to personal information. The hacker, FEAR, says there are also “emails” within the databases. Theses databases are, from previously contacted sources, said to be US State government websites, that could disclose private conversations between high level officials. This is the first major data breach on the State level.
This data dump could very well expose corruption on the State levels within the US government. We will be on the lookout for the emails mentioned by “FEAR” and their contents will be evaluated for corruption when they are made public.
A Message From “FEAR” to Federal Agencies.
How Easy It Was – US Government Doesn’t Even Encrypt Private Citizens Data!
A hacker known as Fear appears to have hacked hundreds of government servers used to upload and download files from the internet.
Fear, who claims to be a teenager, said he took advantage of lax security at the company Neustar to gain access to a large number of FTP (File Transport Protocol) servers.
Servers for file transport are often used to upload data to a website, and run off of the same types of domain names as websites.
Neustar is in charge of the “.us” top-level domain, an alternative to “.com,” “.edu” and “.org.”
By hacking Neustar, Fear gained access to the FTP accounts for every site with an address ending .us.
“I hacked into the Neustar FTP, and I dumped their files, and in the files there were a list of each and every FTP server on a .us, and it had their passwords, users, ftp ip, hostname, and domain,” said Fear in an online chat.
Many of the servers that host .us accounts also host “.gov” accounts, leaving Fear with what he claimed was access to a wide variety of government information, including voter registrations for every county in all 50 states, prescription databases and the Department of Education.
“It only takes 13 hours and 23 minutes and 12 seconds for somebody to finish gathering data on every US citizen,” Fear boasted.
Many states used poor security practices, he said, using passwords no more than five characters and failing to encrypt sensitive information.
FEAR Contacted Databreaches.net
“Sad to know .us domains are so unsecure”
A private message to DataBreaches.net on Saturday evening was the prelude to a young hacker downloading tremendous amounts of data from states.
Over the next few hours, a teenage hacker known to DataBreaches.net from his past hacking activities would remind us once again just how insecure everything was, showing this blogger samples of files that he obtained in a hack that not only gave him access to every state with a domain on .us, but also to some .gov domains such as the U.S. Department of Education.
When asked how he obtained access, he replied:
I gained access to an ftp server, that listed access to all the ftp’s on .us domains, and those .us domains were hosted along with .gov , so I was able to access everything they hosted, such as, public data, private data, source codes etc…
He declined to reveal what .gov sites, other than USED, he was able to access, but did expand a bit on his previous answer, telling DataBreaches.net:
It was very simple to gain access to the 1st box that listed all the .us domains, and their ftp server logins. I went through each and every one, it was legit. I am pretty sure about every person who does security researching can do this, yes, it may have took me about 3 hours or 4 hours or looking around, but it is still possible.
Encryption was no obstacle for him, he said, because he saw no evidence that encryption was used at all: “I was able to read all of it in plain text form.”
As he acquired files, the teenager commented in a private chat on what he was obtaining: Social Security numbers in one file, credit card numbers in another, postal and email addresses and phone number of Minnesota school board candidates in another, web-banking transactions from the First Bank of Ohio, and more, he claimed.
The hacker seems to have paid particular attention to Florida. Just one file alone from Florida had 267 million records, another had 76 million, he told DataBreaches.net.
“i just got access to a total of Social Security’, 101087939 numbers,” he claimed at another point, without indicating which state it was from.
i have been wget one state for like an hour lmao
entries in total
Hacker says he’ll dump the data online
The hacker also bragged about downloading 101,087,939 Social Security numbers from an unnamed state, and currently downloading another 400 million records from other sources.
All this constant downloading of personal information gave the hacker away, and after a few hours, he lost access to some servers. For the time being, it is unknown who detected the intrusion. Fear declined to mention which servers he had lost access to.
The hacker also said that many of these government FTP servers were improperly secured, with six of the 50 states using five-character-long passwords.
Fear has stated he plans to leak some of the data. “When I dump the data, well if I choose too, I will include credit cards , social security and address, phones , names,” Fear told Softpedia in a Twitter conversation.
Softpedia has reached out to Neustart seeking comment on the incident. We will update the post if we receive an official statement.