On February 6, 2011, as part of their attack on HBGary, the Anonymous group social engineered administrator of rootkit.com, Jussi Jaakonaho, to gain root access to rootkit.com. The entire MySQL database backup was then released by Anonymous and announced using HBGary's CEO Twitter account, @aaronbarr: Sup, here's rootkit.com MySQL Backup http://stfu.cc/rootkit_com_mysqlbackup_02_06_11.gz #hbgary #rootkit #anonymous. The table below is the list of accounts found in rootkit.com MySQL database backup with passwords in cleartext.
JtR is used to translate the hashed passwords to cleartext passwords. Most of the passwords were successfully acquired by feeding a password dictionary to JtR and the rest were acquired by using JtR incremental mode. Among the passwords found at rootkit.com, the following are the 10 most used passwords:
By randomly putting the passwords to test, many appear to be reused by the same user elsewhere on sites presumably of lower value to the user, e.g. Facebook, Twitter, forum sites, secondary email accounts, etc. Mechanize has found over 1500 accounts using @gmail.com alone can be used to login to Twitter. If your account or account of someone you know appears in the list below, we urge you to take an action to change the password immediately if it is used elsewhere and enforce use of strong passwords.
UPDATE (February 15, 2011): The public disclosure on this page with details on rootkit.com accounts leaked by the Anonymous group has sparked heated discussion due to potential password reuse. This has resulted in this page being brought down several times by our upstream providers. While we are putting the effort to bring this disclosure to the public, we are no longer displaying the cleartext passwords below.
What should you do?
Use the search box below to find out if your email is in the list. If yes, you are advised to change your password immediately if it is still in use elsewhere. For your privacy, do not enter your complete email in the search box. Try using the first part of your email instead, e.g. example instead of email@example.com.
If you wish to have your entry removed from the list below, please send an empty email to firstname.lastname@example.org with subject "rootkit removal request". The removal is done automatically within 24 hours if you use the same email as the one appeared in the list. This page may be cached for up to 24 hours.
|ID||Email / Username||Password|
|A valid search term is required!|