European Space agency hacked. Staff and subscribers' data exposed

You would like to imagine that it was a proud day for the European Space Agency (ESA).

Tim Peake, the first official UK astronaut, has been hurtled into space onboard a Soyuz rocket from Kazakhstan. His destination and home for the next seven months? The orbiting International Space Station.

Things are not looking so good for the ESA closer to Earth, however.

Hackers operating under the banner of Anonymous have seemingly breached the due.esrin.esa.int, exploration.esa.int, and sci.esa.int ESA websites, exploiting a SQL vulnerability to trick them into spitting out the contents of their databases.

The consequence? Staff names, email addresses, phone and fax numbers, and more have been grabbed by the hackers, alongside the names, email addresses and plaintext passwords of over 8000 subscribers.

HackRead reports that the hackers had a seasonal explanation for the breach:

BECAUSE XMAS IS COMING AND WE HAD TO DO SOMETHING FOR FUN SO WE DID IT FOR THE LULZ

Funny? I’m not so sure. After all, it’s not out of this world to imagine that the personal information and credentials (which have been published on the web) could assist online criminals in launching phishing attacks or targeting organisations with malware.

And then, of course, there’s the potential risk that hackers could take the passwords exposed by this breach and use them to unlock other online accounts.

Steve Ragan of CSO analysed the 8,107 passwords that were leaked, discovering that 39% were just three letters long.

You don’t win any prizes for guessing that at least some of the users chose “esa” as their password. Sigh…

If you have ever created an account on the ESA website, my advice would be to ensure that you are not using the same password on any other website (unique passwords are a good idea for everybody to be honest), and to be suspicious of any unsolicited emails that you might receive.

Meanwhile, one hopes that the Esa will have learnt its lesson and conduct a thorough security review of its websites. Too many organisations are failing to properly secure their passwords and falling foul of SQL vulnerabilities, making it too easy for online criminals to steal sensitive data.