Preliminary analysis of Stratfor data dump (updated)

Identity Finder has analyzed some of the data released from the Stratfor hack:

  • 50,277 unique credit card numbers, of which 9,651 are not expired
  • 86,594 email addresses, of which 47,680 are unique
  • 27,537 phone numbers, of which 25,680 are unique
  • 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked
    • 73.7 percent of decrypted passwords were weak
    • 21.7 percent of decrypted passwords were medium strength
    • 4.6 percent of decrypted passwords were strong
    • Average decrypted password length: 7.1 characters
    • 10 percent of decrypted passwords were less than 5 characters long
    • Only 4.8 percent of decrypted passwords were 10+ characters long
    • Presumably the remaining non-decrypted passwords were stronger than the decrypted subset
  • 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world

Read more on Identity Finder.

So they were storing approximately 40,000 credit card numbers in clear text that were expired?  This is really inexcusable. If the numbers could not be charged, why retain them – and their CVV?

Updated 1-4-12:  Their updated analysis was released on Dec. 30.  One big difference is that the updated figures show over 36,000 unexpired credit card numbers:

  • 68,063 Unique Credit Card Numbers, of which approximately 36,000 have unexpired expiration dates. Note: Credit cards with expired expiration dates might still be valid, if they have since been renewed.
  • 859,311 Unique Email addresses.
  • 50,569 Phone Numbers.
  • 860,160 Hashed Passwords, of which roughly 11.8% could be easily cracked.
  • Average password length: 7.2 Characters.
  • 50,618 of the addresses belonged to United States victims; the remainder belonged to individuals from other parts of the world.

Thanks to the reader who made me aware of the update.

About the author: Dissent

4 comments to “Preliminary analysis of Stratfor data dump (updated)”

You can leave a reply or Trackback this post.
  1. Chris L - December 30, 2011

    Where did you see that the CVVs were also retained?

    • admin - December 30, 2011

      They announced that immediately. See my post at http://www.databreaches.net/?p=22426 that incorporates one of their tweets. But also, all you need to do is look at the data dumps they’ve been posting this past week and you’ll see the CVV’s.

      • Chris L - December 30, 2011

        Oh, awesome. Somebody failed PCI 101.

        • admin - December 30, 2011

          101, 102, 103, ……

Comments are closed.