Members of the hacker collective Anonymous claim they have stolen about 14,000 user passwords and 8,000 credit card numbers from SpecialForces.com, a military and law enforcement equipment retailer. The data breach occurred several months ago, according to Anonymous, but the group only now decided to post the data online. The purloined password list had reportedly been posted online several weeks ago as well.
A Twitter account associated with Anonymous has posted a screenshot of an e-mail from SpecialForces.com dated Dec. 15 admitting to the data breach. The purported SpecialForces.com e-mail confirms that Anonymous obtained customer usernames, passwords, and possibly encrypted credit card information. The e-mail advises customers that all passwords were blocked as a security precaution to prevent misuse of user accounts. SpecialForces.com was unavailable for comment, and attempts to contact purported victims of the Anonymous hack were unsuccessful.
Anonymous members were apparently motivated to attack SpecialForces.com because, the hackers believe, the site's customers are largely "military and law enforcement affiliated individuals." The attack on SpecialForces.com is part of a larger Anonymous hacking campaign called LulzXmas. The campaign included the recent attack on Stratfor Global Intelligence, a think tank focused on international security issues. In that attack, Anonymous was able to obtain more than 53,000 client e-mail addresses as well as credit card numbers and other personal information. Stratfor's website has been down since the attack over the Christmas weekend. Anonymous describes LulzXmas as weeklong hacking campaign targeting sites related to global finance, militaries and governments.
UPDATE (4:05 p.m. EST): Special Forces Gear, the company behind SpecialForces.com, issued the following statement to PCWorld: "Last August 2011, Special Forces Gear's web servers were compromised by the hacker group Anonymous, resulting in a security breach that allowed the hackers to obtain customer usernames, passwords, and possibly encrypted credit card information in some cases...The compromised customer passwords were from a backup of a previous version of the website that is over a year old. Most of the credit card numbers are expired, and we don't have evidence of any credit card misuse at this time. The current website does not store customer passwords or credit card information...After the security breach, we completely rebuilt our website and hired third-party consultants to help us shore up website security."