LulzSec seems to be on a bit of a tear lately.
No happy with just hacking the hell out of Sony Pictures this past week they have now decided to give the FBI the middle finger by hacking one of their private non-profit affiliate organization called Infragard.
LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.
Where did the plain text passwords come from? Considering LulzSec was able to decrypt them it would imply that the hashes were not salted, or that the salt used was stored in an insecure manner.
One interesting point to note is that not all of the users passwords were cracked… Why? Because these users likely used passwords of reasonable complexity and length. This makes brute forcing far more difficult and LulzSec couldn’t be bothered to crack them.
In addition to stealing data from Infragard, LulzSec also defaced their website with a joke YouTube video and the text “LET IT FLOW YOU STUPID FBI BATTLESHIPS” in a window titled “NATO – National Agency of Tiny Origamis LOL”.
Somehow I think LulzSec may have poked the wrong bear.