A teenage hacker going by the pseudonym Fear has claimed that he has gained access to hundreds of US government servers hosted on .us and .gov domains and stolen a massive trove of personal information of US citizens. The hacker also claimed that he was able to access voter registration data and Florida's pharmacy prescription monitoring program. Fear said that he plans to dump some of the data online.
Fear also claimed that he downloaded massive amounts of data from the .us and.gov domains, which generally host US state government websites. He said that he was able to steal social security numbers, credit card numbers, email and physical addresses, phone numbers, web-banking transactions and more.
"I gained access to an ftp server, that listed access to all the ftp's on .us domains, and those .us domains were hosted along with .gov , so I was able to access everything they hosted, such as, public data, private data, source codes etc.", Fear told Databreaches.net. "It was very simple to gain access to the 1st box that listed all the .us domains, and their ftp server logins. I went through each and every one, it was legit. I am pretty sure about every person who does security researching can do this, yes, it may have took me about 3 hours or 4 hours or looking around, but it is still possible."
Data stored in cleartext
The teen hacker also claimed that all the data he uncovered was stored in cleartext and came with no encryption. "I was able to read all of it in plain text form," he said. He also claimed to have downloaded 101087939 social security numbers from an unnamed state, adding that he was able to amass thousands of credit card numbers as well.
Specifically, the hacker claimed that he stole banking transactions from the First Bank of Ohio, email address, phone numbers and physical address of candidates of the Minnesota school board, Washington state voter registration and pharmacy prescription monitoring information for the state of Florida, among others.
Data may be leaked online soon
Fear says that he plans to dump some of the data online but refrained from mentioning the exact time and kind of information he intends to leak. "When I dump the data, well if I choose too, I will include credit cards, social security and address, phones, names," the hacker told Softpedia.
However, Fear's constant activities may have issued a red flag, as the hacker also noted that he briefly lost access to some of the servers. He said that on attempting to login he found that "they took the entire .us ftp server down." He however refrained from mentioning which servers he lost access to, adding that Florida's site, which was also briefly online, later came back up but with password protection.
It is still unclear as to who uncovered the breach at the government end and how many users it has impacted.
After this article was published, the alleged hacker Fear, posted a statement claiming to have lied to the media to "troll them". In light of the statements made, reports suggest that evidence of any new cyberattacks provided by the supposed hacker may also dubious.
Fear's statement reads:
"Hello, media, hackers, pentesters.
Today I will be revealing the truth.
I did not hack Neustar, i lied to media to troll them. I hacked into 38 government ftp servers, and had access to states data. The bank breaches included has nothing to do with my breach on the ftps. I gained access to the banks because i breached north dakota bank back in early 2016. I had access to gov banks in each state. So i used it to troll the media.
Yes, the government did get hacked, along with social security numbers from the back, tax papers, voting data. But Neustar was a mirage to troll the media.
What really happened (SUMMARY)
-United States banking server with known gov banks was breached. (100million SSNs, maybe more.)
-Government FTP servers hacked via exploit, not neustar.
-30+ .US and .gov domains were hacked via exploit.