LONDON - The loose-knit hacking movement Anonymous claimed Sunday to have stolen thousands of credit card numbers and other personal information belonging to clients of the U.S.-based security think tank Stratfor.
One hacker said the goal was to pilfer funds from individuals' accounts to give away as Christmas donations, and some victims confirmed unauthorized transactions linked to their credit cards.
Anonymous boasted of stealing Stratfor's confidential client list, which includes entities such as Apple Inc., the Air Force, and the Miami Police Department, and mining it for more than 4,000 credit card numbers, passwords, and home addresses.
Stratfor, based in Austin, Texas, provides political, economic, and military analysis to help clients reduce risk, according to a description on its YouTube page. It charges subscribers for its reports and analysis, delivered through the Web, e-mails, and videos. The company's main website was down Sunday, with a banner saying the "site is currently undergoing maintenance."
Proprietary information about the companies and government agencies that subscribe to Stratfor's newsletters did not appear to be at any significant risk; the main threat was to individual employees who had subscribed.
Hackers taunt Stratfor
"Not so private and secret anymore?" Anonymous taunted in a message on Twitter, promising that the attack was just the beginning of a Christmas-inspired assault on a long list of targets.
Anonymous said the client list it had posted was a small slice of the 200 gigabytes of data it stole from Stratfor, and promised more leaks. It said it was able to get the credit card details in part because Stratfor did not encrypt them - a blunder which, if true, would be a major embarrassment for any security-related firm.
Fred Burton, Stratfor's vice president of intelligence, said the company had reported the intrusion to law enforcement. Stratfor has protections in place meant to prevent such attacks, he said.
"But I think the hackers live in this kind of world where once they fixate on you or try to attack you it's extraordinarily difficult to defend against," Burton said.
Just the A's
Hours after publishing what it said was Stratfor's client list, Anonymous tweeted a link to encrypted files online with names, phone numbers, e-mails, addresses, and credit card account details. "Not as many as you expected? Worry not, fellow pirates and robin hoods. These are just the 'A's," read a message posted online.
Lt. Col. John Dorrian, public affairs officer for the Air Force, said by e-mail that his service does not discuss specific vulnerabilities, threats, or responses to them. It will "continue to monitor the situation and, as always, take appropriate action as necessary to protect Air Force networks and information," he said.
Sgt. Freddie Cruz Jr., a Miami police spokesman, said he could not confirm that his agency was a Stratfor client.
Anonymous also linked to images online that it suggested were receipts for charitable donations made by the group using the credit card data it stole.
"Thank you! Defense Intelligence Agency," read the text above one image that appeared to show a transaction summary indicating that an agency employee's information was used to donate $250 to a nonprofit group.
One receipt - to the American Red Cross - had Allen Barr's name on it. Barr, of Austin, recently retired from the Texas Department of Banking and said he discovered Friday that $700 had been spent from his account.
"It was all charities, the Red Cross, CARE, Save the Children," Barr said. He was not aware until a reporter called that his information had been compromised.