ABC Australia hacked – nearly 50,000 user credentials posted online, half cracked in 45 secs

By on

pastebin

Someone has claimed that they have hacked into the ABC and has posted 49,561 users and moderators online – including email addresses and encrypted versions of passwords. The leak appears to be from the ABC message boards (mainly because that is the only part of the ABC that requires login). The ABC has confirmed that the hack took place on the website for a show called Making Australia Happy, aired in 2010.

And while the passwords are encrypted, the ABC’s database leak does include your last updated IP address, your postcode, your state, and – for some unknown reason – your longitude and latitude position. In short: they have information that could help locate where you live.

The reason behind this, according to Phr0zenMyst on the Pastebin dump, was because the ABC was giving “Geert Wilders a platform to voice anti-Islam anti-Muslim hatred” in a recent interview on Lateline.

For those who do not know, Wilders is a controversial Dutch politician who is known for his anti-Islam and anti-Immigration stance. He was invited to speak in Australia, which led to protests outside his first event in Melbourne.

TECHGEEK.com.au have contacted the ABC and awaiting on a comment. However, a spokeswoman told us that they are aware of the issue.

UPDATE: ABC 774 Melbourne has posted a response to this story. “IT is investigating,” it tweeted.

UPDATE 2 (11:30a): ABC’s Sally Cray, head of Corporate Communications at ABC Corporate Affairs, has told 774 ABC, “We’re certainly aware of the reports.”

“We’re looking into it and we’re trying to figure out whether it has actually happened, and if it has happened, what information it is.”

UPDATE 3 (3:00p): The broadcaster has released this statement:

Overnight the ABC was made aware that an ABC television program website was hacked. The website relates to the ABC television program Making Australia Happy, which aired in late 2010.

At this stage, we are still investigating the details of the breach. However, we do know that it has exposed the name, username and a hashed version of the password that audience members used to register on the program website.

As soon as the ABC was made aware of this activity the site was shut down.

This breach originated at an overseas location and an activist has claimed responsibility for it.

The ABC will be in contact with audience members who have been directly affected.

UPDATE 4: (4:50p): Troy Hunt, a software architect and Microsoft MVP, has tweeted that he has already cracked more than half of the 50,000 password hash dump in less than 45 seconds. He tells Fairfax’s Ben Grubb via Twitter that it was possible due to “poor cryptography”.

Meanwhile Risky Business’ Patrick Gray is reporting “strong circumstantial evidence” that the Making Australia Happy site was already compromised by criminals way back in 2011, with the first two password hashes from the database being posted on a Russian cybercrime website. One of them is an ABC account with moderator privileges.

UPDATE 5 (7:05p): Troy Hunt has finally released his blog post half of the passwords in 45 seconds. So, how was it possible? Because the hash was already made public through Google, and he managed to get the ‘cipher text’ for the hash. “From here, the password cracking is exceptionally simple,” Hunt writes in the blog post. “This case is even easier as there’s no salt and it simply involved saving all those unique hashes into a file called abchashes.txt then using the same hashkiller password dictionary I used in the aforementioned example.”

He managed to recover 18,406 hashes out of the 41,585 unique hashes – in just 45 seconds.

Join the Conversation