Be careful what you say, or say nothing at all, advises hacked international intelligence and threat analysis firm Stratfor, after revealing hackers may be targeting members who offer public support for the company in the wake of a serious security breach. Stratfor was allegedly infiltrated Sunday night by hacktivist group Anonymous. Anonymous announced on Twitter that it had stolen thousands of credit card numbers as well as the personal information of Stratfor’s clients, posting links to some of that information Sunday and again on Monday.
Stratfor’s website was still inaccessible Tuesday morning, and the company has resorted to using its Facebook page to communicate with the public. It’s not clear what, if anything, hackers are doing to harass outspoken victims, but Stratfor’s cautioning against saying anything just the same.
“It’s come to our attention that our members who are speaking out in support of us on Facebook may be being targeted for doing so and are at risk of having sensitive information repeatedly published on other websites,” wrote the company on Sunday afternoon. “So, in order to protect yourselves, we recommend taking security precautions when speaking out on Facebook or abstaining from it altogether.”
It’s not yet clear what was taken in the alleged data heist, but Stratfor admits that on December 24, both “personally identifiable information” as well as “related credit card data” from its members was disclosed. But where the hackers claim they also obtained a list of Stratfor’s “private clients” — members who “have a relationship with Stratfor beyond their purchase of [the company’s] subscription-based publications” — Stratfor denies the charge, and says the list “was merely…of some of the members that have purchased our publications.”
Anonymous claims the data it obtained was unencrypted, and Stratfor hasn’t said whether it was or wasn’t. Storing personal data like names, addresses and telephone numbers unencrypted isn’t uncommon, but credit card data is almost always encrypted — if Stratfor’s credit card data was somehow stored unencrypted, it would be a major embarrassment for a company that’s built its brand on the basis of security and threat analysis.
The information — posted by Anonymous online and linked to through Twitter — is said to be an alphabetical listing of thousands of Stratfor clients, both individuals and companies, including financial, media and government groups. It also contains emails, allegedly between members of Stratfor’s information technology department.
The hackers announced they would donate any money obtained from the hack to charities, but the chances are virtually zero of that happening, since impacted members are doubtless freezing suspect cards, and would see any illicitly donated money returned once the transaction posted.
Stratfor says it’s working with law enforcement to investigate the breach and is using a “leading identify theft protection and monitoring service” as it moves forward, adding that it will outline “services to be provided” in “a subsequent email that is to be delivered to the impacted members no later than Wednesday, December 28th.”