A purported hacker known as Fear claims to have hacked hundreds of government servers used to upload and download files from the internet — a claim that's being described as a hoax
Fear, who claims to be a teenager, said he took advantage of lax security at the company Neustar to gain access to a large number of FTP (File Transport Protocol) servers. But Neustar has pushed back, claiming the purported breach does not match files the hacker claims to have taken.
FTP servers are often used to upload data to a website, and run off of the same types of domain names as websites.
Neustar is in charge of the “.us” top-level domain, an alternative to “.com,” “.edu” and “.org.”
By hacking Neustar, Fear claims he gained access to the FTP accounts for every site with an address ending .us.
“I hacked into the Neustar FTP, and I dumped their files, and in the files there were a list of each and every FTP server on a .us, and it had their passwords, users, ftp ip, hostname, and domain,” said Fear in an online chat. He later expanded on the claim to say it was an attack known as a SQL injection — a poorly coded web database that leaks out information.
Databreaches.net, the site first to report on the story, posted purported screen caps from the hack. The claim received additional coverage from other tech sites and The Hill.
But Neustar says they do not have access to such a list of login credentials or a list of FTP sites on .us servers. Neustar is only one of many companies involved in the process of setting up an internet site, even with the .us name. The company hosting the site has direct access to login data.
"We can't state unequivocally that he did not hack something, but only because it's impossible to prove something didn't happen," said Neustar Senior Vice President Rodney Joffee.
"We have been looking for evidence since the story came out, and haven't found anything. And we're good at this, because we take security seriously."
Many of the servers that host .us accounts also host “.gov” accounts, leaving Fear with what he claimed was access to a wide variety of government information, including voter registrations for every county in all 50 states, prescription databases and the Department of Education.
“It only takes 13 hours and 23 minutes and 12 seconds for somebody to finish gathering data on every US citizen,” Fear boasted.
Many states used poor security practices, he said, using passwords no more than five characters and failing to encrypt sensitive information.
Fear said that the files he has amassed include credit card information, bank transactions, prescription information, Social Security data and more, and that he planned on selling the information he had downloaded for “thousands of dollars in cryptocurrency.”
He declined to provide additional evidence of the hack when asked.
Updated at 4:14 p.m.