Preliminary analysis of Stratfor data dump (updated)

Identity Finder has analyzed some of the data released from the Stratfor hack:

  • 50,277 unique credit card numbers, of which 9,651 are not expired
  • 86,594 email addresses, of which 47,680 are unique
  • 27,537 phone numbers, of which 25,680 are unique
  • 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked
    • 73.7 percent of decrypted passwords were weak
    • 21.7 percent of decrypted passwords were medium strength
    • 4.6 percent of decrypted passwords were strong
    • Average decrypted password length: 7.1 characters
    • 10 percent of decrypted passwords were less than 5 characters long
    • Only 4.8 percent of decrypted passwords were 10+ characters long
    • Presumably the remaining non-decrypted passwords were stronger than the decrypted subset
  • 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world

Read more on Identity Finder.

So they were storing approximately 40,000 credit card numbers in clear text that were expired?  This is really inexcusable. If the numbers could not be charged, why retain them – and their CVV?

Updated 1-4-12:  Their updated analysis was released on Dec. 30.  One big difference is that the updated figures show over 36,000 unexpired credit card numbers:

  • 68,063 Unique Credit Card Numbers, of which approximately 36,000 have unexpired expiration dates. Note: Credit cards with expired expiration dates might still be valid, if they have since been renewed.
  • 859,311 Unique Email addresses.
  • 50,569 Phone Numbers.
  • 860,160 Hashed Passwords, of which roughly 11.8% could be easily cracked.
  • Average password length: 7.2 Characters.
  • 50,618 of the addresses belonged to United States victims; the remainder belonged to individuals from other parts of the world.

Thanks to the reader who made me aware of the update.

About the author: Dissent