The U.S. Federal Reserve has confirmed that hackers associated with Anonymous have breached its IT networks. The group accessed a Fed database and published usernames and passwords (hashed and salted), as well as contact information for 4,000 bankers.
The Wall Street Journal’s Victoria McGrane reported, “The Federal Reserve acknowledged Tuesday night that it had suffered a cybersecurity breach, making it the latest government victim of hackers. ‘The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,’ a spokeswoman from the Federal Reserve Bank of Richmond said in an emailed statement. ‘The exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve System.'”
The Register’s John Leyden added, “The breach allowed hacktivist ragtag collective Anonymous to post the names, email addresses, mobile phone numbers and login credentials (password hashes and IDs) of what it said were 4,000 senior US banking executives. The attack and subsequent leak was carried out as part of an ongoing campaign, dubbed Operation Last Resort, calling for reform of the justice system following the suicide of RSS and Reddit co-creator and activist Aaron Swartz. Swartz had been the target of a controversially aggressive federal cybercrime prosecution after he broke into MIT servers in an effort to liberate academic papers onto the internet.”
Alister Bull and Jim Finkle with Reuters noted, “The Fed declined to identify which website had been hacked. But information that it provided to bankers indicated that the site, which was not public, was a contact database for banks to use during a natural disaster. A copy of the message sent by the Fed to members of its Emergency Communication System (ECS), which was obtained by Reuters, warned that mailing address, business phone, mobile phone, business email, and fax numbers had been published. ‘Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised,’ the Fed said.”
ZDNet’s Violet Blue spoke with security expert Jon Waldman about the incident. He said, As an information security expert, it’s my official position that there was a blatant and irresponsible lack of tact and urgency in the response by the Federal Reserve to the individuals and institutions contained in this list. I’d go as far as to say they have irrevocably LIED to their constituents here. Granted, there’s no immediate threat of funds-transfer or additional data loss, but there’s certainly an imminent danger here to each and every one of those accounts that have been exposed…. Both the institutions and the individuals contained in this list WILL be specific targets of Social Engineering and hacking attacks.”