NullCrew hacks MoD – leaks thousands of plaintext credentials

The first indication of the hack came in an announcement by OfficialNull on Twitter at around midnight of 5 November: “We should have the database from the UK Ministry of Defence (mod.uk) up tonight for you guys.” A few hours later a list of email addresses and passwords was dumped on pastebin and anonpaste. 

The accompanying explanation is brief. It links the attack to NullCrew’s F The System campaign, points out that “Your webmaster made a terrible mistake”, and claims the breach was via an “easy... SQL Injection.” The brevity of the note suggests it may have been produced hurriedly, pointing to a recent hack and a possible link to the most important anti-government date on the UK calendar.

“From reading their announcement,” security researcher and pentester Robin Wood told Infosecurity, “the vulnerability was a simple SQL injection. If that is the case then I would guess it means the site hasn't been security tested as even an automated test should pick up basic SQLi.” Wood has had reports from colleagues who have looked at the site, “and they have spotted other easily detected serious vulnerabilities. I'd recommend,” he continued, “that the site is taken offline at least temporarily while an audit is done to work out how many issues there are and whether it is safe for it to go back online after some quick patches – or whether it needs more serious work.”

The listed emails and passwords are all in plaintext. They don’t appear to be sensitive in a military sense. They include 728 hotmail addresses, 207 gmail addresses, and a further 111 googlemail addresses. There are 123 .gov addresses. These seem to be primarily government agencies such as the UK Hydrographic Office and local authorities. There seems to be a high incidence of Portsmouth and Plymouth references, two of the UK’s navy centres.

“I’ve analysed the passwords,” continued Wood, “and looking at the ones from Portsmouth there was obviously no policy in place governing length or complexity. There is a password of just one character and twenty of just three characters.” The most common passwords contain words related to sailing or that part of the world. “I’d hope that everyone in the list is contacted and warned about the leak – and advised to change their passwords on other sites as there is a good chance that some of the users will have reused them.”

Wood fears that the breach will get a lot of attention from other hackers “who will want to replicate the attack. I think they are in for some rough times over the next few days and weeks.”

What’s hot on Infosecurity Magazine?