The loose-knit hacking movement Anonymous claimed Sunday to have stolen thousands of credit card numbers and other personal information belonging to clients of security think tank Stratfor.One hacker said the goal was to pilfer funds from individuals' accounts to give away as Christmas donations, and some victims confirmed that there had been unauthorized transactions linked to their credit cards.
Anonymous boasted of stealing Stratfor's confidential client list, which includes entities such as Apple Inc., the U.S. Air Force and the Miami Police Department, and mining it for more than 4,000 credit card numbers, passwords and home addresses.
Austin, Texas-based Stratfor provides political, economic and military analysis to help clients reduce risk, according to a description on its YouTube page. It charges subscribers for its reports and analysis, delivered through the Web, emails and videos. The company's main website was down Sunday, with a banner saying the "site is currently undergoing maintenance."
Proprietary information about the companies and government agencies that subscribe to Stratfor's newsletters did not appear to be at any significant risk, however, with the main threat posed to individual employees who had subscribed.
"Not so private and secret anymore?" Anonymous taunted in a message on Twitter, promising that the attack on Stratfor was just the beginning of a Christmas-inspired assault on a long list of targets.
Anonymous said the client list it had already posted was a small slice of the 200 gigabytes worth of plunder it stole from Stratfor and promised more leaks. It said it was able to get the credit card details in part because Stratfor didn't bother encrypting them — an easy-to-avoid blunder which, if true, would be a major embarrassment for any security-related company.
Fred Burton, Stratfor's vice president of intelligence, said the company had reported the intrusion to law enforcement officials and was working with them on the investigation.
Stratfor has protections in place meant to prevent such attacks, he said. "But I think the hackers live in this kind of world where once they fixate on you or try to attack you it's extraordinarily difficult to defend against," Burton said.
Hours after publishing what it claimed was Stratfor's client list, Anonymous tweeted a link to encrypted files online with names, phone numbers, emails, addresses and credit card account details.
Anonymous also linked to images online that it suggested were receipts for charitable donations made by the group manipulating the credit card data it stole.
"Thank you! Defense Intelligence Agency," read the text above one image that appeared to show a transaction summary indicating that an agency employee's information was used to donate $250 to a nonprofit.
One receipt — to the American Red Cross — had Allen Barr's name on it.
Barr, of Austin, Texas, recently retired from the Texas Department of Banking and said he discovered last Friday that $700 had been spent from his account. Barr, who has spent more than a decade dealing with cyber crime at banks, said five transactions were made.
"It was all charities, the Red Cross, CARE, Save the Children. So when the credit card company called my wife she wasn't sure whether I was just donating," said Barr, who wasn't aware that his information had been compromised when Stratfor's computers were hacked until a reporter with the Associated Press called.
"It made me feel terrible. It made my wife feel terrible. We had to close the account."
Wishing everyone a "Merry LulzXMas" — a nod to its spinoff hacking group Lulz Security — Anonymous also posted a link on Twitter to a site containing the email, phone number and credit card number of a Department of Homeland Security employee.
The employee, Cody Sultenfuss, said he had no warning before his details were posted.
"They took money I did not have," he told the Associated Press in a series of emails, which did not specify the amount taken. "I think 'Why me?' I am not rich."
The breach doesn't necessarily pose a risk to owners of the credit cards. A card user who suspects fraudulent activity on his or her card can contact the credit card company to dispute the charge.
Stratfor said in an email to members that it had suspended its servers and email after learning that its website had been hacked.
