The personal details of more than 50,000 people were included in data published by Anonymous after the hacking of global intelligence firm Stratfor shortly before Christmas, according to an analysis of the posted information.
The data security firm Identity Finder said on Tuesday that the data published so far — Anonymous has promised further publications — includes the details of thousands of Stratfor subscribers with first names beginning with letters ranging from A to M.
"This is the latest data leak by 'breachers' who not only hack into corporations but also breach their data privacy by posting the information online," Identity Finder chief executive Todd Feinman said. "Unfortunately this problem will only get worse unless corporations minimise their data footprint and shrink their data target."
The published data includes 50,277 unique credit card numbers, of which 9,651 are not expired, Identity Finder said. Also included are 47,680 unique email addresses, 25,680 unique phone numbers and 44,188 encrypted passwords, "of which roughly 50 percent could be easily cracked". 13,973 of the email addresses were for victims inside the US, and the rest for those in other countries, the company said.
The 'LulzXmas' hack, which led Stratfor to suspend its website and server operations, apparently took place on Christmas Eve. On that day, a Twitter account regularly used by the hacker group Anonymous revealed the breach, saying Stratfor had been "rooted".
A subsequent tweet from the same account began the gradual, daily publication of information Anonymous had copied from Stratfor's servers. All in all, Anonymous says it has taken 200GB of data from the firm's systems.
One tweet from Anonymous claimed the credit card information had been stored in clear text "with corresponding addresses". According to Feinman, "credit card fraud has already been well-documented in this incident".
One Christmas Day tweet from the Anonymous account refers to Operation Robin Hood, a joint plan cooked up by Anonymous and another hacker group, Team Poison, to steal money from people's bank accounts and redistribute it to the needy. However, it is not clear how strong the link is between this operation and the Stratfor hack.
The published information has included not only passwords and credit card details, but also a list purporting to be that of Stratfor's clients. These include various law enforcement agencies and defence contractors, and firms such as Microsoft, Apple and Intel.
There is some confusion over the nature of this particular list, which was tagged as part of the AntiSec campaign being carried out by Anonymous and yet another related hacker group, LulzSec. Anonymous referred to it in its publication as Stratfor's "private client list", but the firm itself said on its Facebook page that it was "merely a list of some of the members that have purchased our publications".
To add to the confusion, a message anonymously posted to Pastebin on Christmas Day, and claiming to come from Anonymous itself, said the hack had not been the work of Anonymous. The Anonymous Twitter account, however, seemed to dismiss this message as fake.