Anonymous supporters, Guatemala City
Anonymous supporters wear Guy Fawkes masks made popular by the film V For Vendetta Reuters

Online activist group Anonymous has released a cache of data which it claims are the personal details of South African government employees. The leak includes names, phone numbers, email addresses and passwords of more than 1,000 employees from a Government Communications and Information Systems (GCIS) portal.

The group said it leaked the data to protest against child labour, corruption and internet censorship in the African continent.

It reportedly gained access to the employee database by hacking an outdated GCIS portal, with South African officials telling Infosecurity Magazine that the vulnerability had since been tracked down and fixed.

Anonymous, a loose international coalition of hackers and activists, pledged to target Africa in a video released in January. "The focus of the operation is a disassembly of corporations and governments that enable and perpetuate corruption on the African continent," the group said. "This consists of organisations responsible for child abuse/labour as well as internet censorship within the continent and globally."

Poor passwords

Anonymous told Softpedia that it had acquired information on more than 33,000 job seekers from the portal, but that it had opted to leak only the personal details of government employees.

South African software developer Evan Knowles wrote in a blog post that the leak revealed glaring flaws in the government's digital security apparatus.

Of the 1,116 passwords from the GCIS data dumped on the internet, Knowles said it was trivial to crack more than a half of them.

"The actual passwords were hashed, no salt, with MD5 which is not recommended due to the ease of cracking these passwords on modern systems," he wrote.

More than half of the passwords did not contain a number and were less than six characters in length, while nearly a third contained the word "password". The three most commonly used passwords were: password1, password01 and password02.

"Not too imaginative, but strangely satisfyingly stereotypical as far as poor passwords go," Knowles wrote.