Fast Company

LulzSec Leaks 62,000 Passwords, Usernames For Unknown Sites

LulzSecUntil now, the antics of LulzSec have seemed more or less harmless (depending on where you draw the line on the criminality of White Hat hacking), but with the release of 62,000 usernames and passwords to unlisted sites, LulzSec has got personal.

LulzSec claims to have hit the CIA this week, and may also have again penetrated web security at the Senate's website, and an earlier LulzSec leak of over 20,000 usernames and passwords was confined to pornographic websites--headline-earning efforts indeed. But today's 62,000-plus list actually doesn't mention which site the passwords and login credentials are connected to. Its tweet announcing the leak simply says, "And as always, LulzSec delivers," then links to a file-locker site containing the password file, before adding "62,000+ emails/passwords just for you. Enjoy." A later tweet noted pleasure at the ensuing "carnage."

With this new action, LulzSec is again pointing out the security weaknesses of the sites it obtained the login codes for (which are being reported around the web as relating to online properties as diverse as the game World of Warcraft, and Gmail). But this time it's actively encouraging users to try out the hacked logins at random across the web, and that's a very different thing--its almost pushing a mass-hacking agenda.

And there's a problem: You as a Net user don't know what the content of this file is unless you download it. So if your online presence is extensive and you're worried your data may be among the leaked list, the only option is to download it yourself and search for text that matches your logins--and ignore the gray area of legality of downloading this file full of clearly stolen data (which you can bet security forces are monitoring, in an attempt to identify LulzSec members).

Playing with the web presence of the CIA is one thing, but potentially hurting 60,000 people (who's only role in the affair is to have had their logins stolen from sites with compromised security) suggests that LulzSec--or possibly just a subset of what's assumed to be an amorphous entity--has decided its ill-defined agenda needs an aggressive, anarchic edge.

Chat about this news with Kit Eaton on Twitter and Fast Company too.

Add New Comment

1 Comments

  • MadMarchHare

    The point LulzSec is making by leaking this data is that it would be completely useless if (and hopefully when) the denizens of the internetz begin taking their own security seriously by not using the same password and login for every website (from mail clients, to amazon, facbook and banks, etc) they decide and choose to frequent.

    LulzSec is poking fun at the collective users of the internet by revealing their disregard for responsibility and common sense.  Poking the bear, by attacking the government agencies, is to show the institutions who will be called upon to rectify the breaches in "security" are equally impotent, if not merely inept.  Again, Lulz defacing of the security company, Black & Berg CyberSecurity Consulting LLC, which has governmental contracts, solidifies this point.