Anonymous, the hacking collective, has claimed playing a prank on the European Space Agency (ESA) ahead of Christmas by hacking its subdomains. However, this might not be fun for those 8,000 people whose names, contact details and passwords were posted on JustPaste.it.
ESA has yet to acknowledge the hacking, which also could not be verified independently.
The hackers claim the compromised data was taken from ESA subdomains including sci.esa.int, exploration.esa.int and due.esrin.esa.int. Each domain mentions the reason for the hack as: "Motivation: Lulz", a variation of LOL, or laugh out loud.
The compromised records were divided into three files such as site's database, registered schemas, and ESA supporters and researchers. The last two contain names, contact details, emails, and names of organisations backed by them. One of the files, "c4_subscriber", has more than 8,000 names, emails and passwords, a majority of which are three-digit passwords.
An analysis by CSO magazine suggests 39%, or 3,191 of the 8,170 passwords exposed, were just three characters — a combination of three-digit numbers. The second largest set of passwords, used by about 16%, or 1,314 people, consisted of eight characters each. Many such as trustno1, rainbow6, password and 12345678 were easily cracked.
Users with 20-character passwords seem to have used a password management system, as did those using 12- and 15-character passwords. Anonymous reportedly told Hackeread it carried out the hack "because Xmas is coming and we had to do something for fun, so we did it for the Lulz."
The cyberattack was carried out using a blind SQL vulnerability which provided the hackers access to the site's database. Anonymous hackers who carried out the attack are said to be the same who caused the data breach of 1,000 officials at the UN climate talks in Paris and World Trade Organisation (WTO).