Cyber-Attacker Dumps Log-ins for 20,000 Customers, U.S. Employees

An admirer of Anonymous acted independently to breach an outsourced provider and steal a customer list with log-in credentials. Many on the list were U.S. government employees.

A solo attacker has hacked into an events management company and obtained sensitive information belonging to 20,000 individuals, many of whom were United States government employees or contractors.

The cyber-attacker posted an Excel spreadsheet containing log-in credentials and personal information for 20,000 people obtained from, according to a blog post signed by "Thehacker12" on Aug. 22. is a professional trade show management company that manages conferences, meetings and trade shows for customers, according to the company Website.

The list has been made public on Pastebin and Mediafire and a message posted on Twitter: "20,000 email-passwords had been leaked consisting mostly of US Mill Army, Govern. & corporate giants."

The spreadsheet contains usernames, passwords, email addresses. company name, and also whether the individual works for a government agency, Catalin Cosoi, head of Bitdefender Online Threats Lab, told eWEEK. Identity Finder, a data loss prevention software vendor, ran the file through its software and found 13,322 passwords and 17,590 email addresses in the file. Only 11,358 of the passwords had a username associated with them, Todd Feinman, CEO of Identity Finder, told eWEEK.

The file also contained 17,668 company names, of which 14,739 were unique, and most had only one email address associated with each name, according to the analysis. This means more than 14,000 organizations may be affected by Thehacker12's breach of

Since managed events for customers, it is likely that the list contained the person in each organization who was working directly with the provider. However, there were some organizations with 10 or more email addresses associated with the name, Identity Finder found in its analysis.

"Interesting to note most of these are government entities," Feinman said.

The U.S. Small Business Administration had 70 entries, followed by 42 from the U.S. General Services Administration, 37 from the U.S. Department of Commerce, 34 from the U.S. General Services Administration and 33 from the U.S. Department of State. Other affected organizations include the Federal Aviation Administration, U.S. Army Corps of Engineers, national nonprofit agency NISH, U.S. Department of Housing & Urban Development, U.S. Environmental Protection Agency and the VA Medical Center. Defense and government contractors Honeywell, BAE Systems, WP Hickman Systems and CH2m Hill were also on the list.

Considering the high incidence of password reuse by Internet users, it is possible that the information could lead to identity fraud, said Identity Finder's Feinman. "Passwords are a digital identity," and the victims will not know if an identity thief is testing out username or email address and password combinations to try to login to the online bank, online retailers or other services, Feinman said.

Bitdefender's Cosoi noted that most of the email addresses on the list are work accounts, which means a malicious third party now has login credentials that may work when trying to breach one of the affected organizations' network and systems or the corporate email server. This level of access can "lead to blackmail, extortion or selling private data to third parties" or targeted emails sent to other employees within the organization from the victims' accounts, he said.

Noting the "significant number of government agencies" in the leaked file, "we can conclude that this data leak will have serious unpleasant consequences," Cosoi said.

Identity Finder's software allows organizations to prevent identity theft and data leakage by searching and securing sensitive data that could be used to commit identity fraud. The software can look at both structured and unstructured data and find instances where sensitive information such as Social Security numbers or credit card information are stored. With the software, organizations can identify all the places where the information is located and protect them accordingly.

The perpetrator claims to be "an AntiSec supporter" but not a member of the hackers collective Anonymous. AntiSec is a movement initially launched by the cyber-group LulzSec earlier this summer to hack into government systems and expose secrets and documents. Anonymous has recently breached a number of defense contractor and law enforcement Websites under the AntiSec banner.

"His or her deeds actually support the same side of the story, which is hacking for the sake of publicly making an anti-establishment point," said Cosoi. Both the media and law enforcement authorities are focused on Anonymous and LulzSec, leaving the "door open to other small groups to make a stand and show their skills" and continue the AntiSec activities without drawing too much attention, Cosoi said.

Thehacker12 has been busy over the past week, mining and dumping three other files containing a total of 16,500 other email and password combinations stolen from unknown targets. His method of attack remains unclear.