35 comments

[ 1.4 ms ] story [ 80.0 ms ] thread
do they not enforce a password policy?
It doesn't really matter when you're storing passwords in plaintext...
I don't know if this is legit or not, but just do a quick ctrl + F and you will find plenty of users still using "password123" and "qwertypassword." Seems like the government should require employees to use a more secure password rather than trusting them to use their own standards.
I don't really get it, there's some server information followed by a long list of passwords. Since at least one of the passwords is 18 characters long, I guess they haven't been brute forced. So does it mean that the FBI is storing some passwords in plain text?
There's a few ways someone could do this that wouldn't use "store password in plain text". A MITM attack using remote access to a router/server would work if a webmail login didn't require SSL (or if the attacker is sophisticated enough, it would work even if SSL was on). I can think of a few ways one could social engineer their way to that level or just escalate by gathering data.

Even something as simple as cracking the home WIFI router of an unsuspecting employee, and use those credentials as a base point to work your way up the access chain. Lots of places spend loads of time securing the border to prevent outside access, but don't spend loads of time preventing users with access from escalating. I know we're talking about the FBI, but really it only takes one small mistake.

(comment deleted)
This one is pretty nice though: Richard.VorderBruegge@ic.fbi.gov - ilovemydaughternancy
Dude, I heard even talking about these combinations is considered as illegal, as in effect you're [illegally] distributing classified information. Better delete it, just for your safety!
what about laughing at yourself?

qwertylol@me

I believe this is a repost.
Also, some quick searches with the emails give results since Oct 2012 (but none of them have server info, the info is easy to fetch anyway).
Wow, some of those passwords are unbelievably shocking. Is this a real leak? By the looks of it, those passwords weren't brute forced they were stored in plaintext... The complexity of some of these passwords is pretty high and some not so high, "Diego@ic.fbi.gov - opjwpoejt9U)(hfodkl"
I really wonder if the user would remember this password, or just copy paste it from somewhere. ;)
Usually, password managing software are used for creating and entering such passwords.
The classic trick with such nonsensical passwords is to use a phrase as mnemonic. "I replied to Garbage on Hacker News on the ninth of January" becomes "IrtGoHNotnoJ".
Looks more like banging on a keyboard to me. Perhaps this user just lets his browser store it and has it emailed to him if he forgets it.
I have passwords longer than that that I've memorized the hard way.
I was positively surprised by the amount of good passwords in that list. If you look at any other leak incident the amount of 'simple' and non-randomly generated passwords is much much higher.

In fact I think that is a testament to that this is actually a list from the FBI.

BTW everyone immediately assumes that these passwords were stored in plain text, but that does not have to be the case at all, this leak nowhere states that these passwords are from a database.

If a host gets hacked, there are plenty ways to obtain passwords without looking into a database.

it isn't so hard to understand if the said person uses a password manager program like LassPass or 1Password.
Wow, a handful of people had their exact names as their password.
Those could be hand-entered default passwords for accounts that were never used.
There is 0 credibility to this claim. I could make up a list of passwords if I wanted to.
It would take quite a while to make up that many. They appear to represent a wide range of individual styles, too.
Take a different list of passwords, do a regex to make the e-mails FBI ones... ta-da.
But a lot of them look like they have some relation or similarity with the account name.
What do they have to gain by hacking the fbi passwords? Don't they know the government never forgives or forgets?
I hope Alicia's husband/SO's name is Mark, or she has some explaining to do.
Alright, I just compared it to the hack that was posted about 3 months back and this seems to be a repost of it.

When it was posted back then, it was called out to be a repost of an older one. * Sigh * [1]

[1] http://news.ycombinator.com/item?id=4678064

ohh i mistakenly upvoted it , shit :(
I wonder fbi.gov uses rails and XML. lol.
Lol, forgot to bundle update that gemfile!
common sense tells me, even if they did hack it, it most likely is a honeypot.