Memo to feds: Stop using the same passwords for personal and work accounts

Recent and future government victims of the hacker collective Anonymous may want to stop using agency passwords on nonwork websites, say officials with the Arizona Department of Public Safety, which learned that lesson the hard way.

During the weekend, hacker activists purportedly from Anonymous leaked the apparent passwords and some credit card data of federal subscribers to intelligence publisher Stratfor, according to the attackers' online messages. It is unclear whether the clients, whose government email addresses also were revealed, were using any of the passwords for federal government systems. But in Arizona, Anonymous allegedly unlocked state government systems by stealing and reusing the passwords officers used to access their personal email accounts and nonwork websites, said Officer Carrick Cook, spokesman for the police department.

"People were using the same password for a lot of different things," he said. "Cops are kind of silly when it comes to that and using the same password twice."

A former Anonymous member said some of the functioning passwords came from pornography websites. Jennifer Emick, who became a security consultant after abandoning the group's antics, said the police had registered on the explicit sites using their government e-mail addresses and government passwords. The attackers, who either operated the porn sites or hacked them, entered the customers' passwords into their corresponding government accounts to see if that would open department databases, she said. It worked, current Anonymous members confirmed.

The cyberbandits, who claimed to be angered by Arizona's tough immigration policies, were able to expose hundreds of personal email correspondences, phone numbers and passwords of officers.

"If you are going to sign up for a porn site, use a throw away email account not your real email," Emick said.

Cook said he didn't know all the details but one gateway for hackers was the officers' personal Web mail accounts. From the office, some police had forwarded work emails to their personal accounts that displayed their computer credentials. "Once they got into the work email system -- into the mainframe -- they could get into the server," he said.

After the attack, police were instructed to create stronger passwords that contained a certain number of characters, letters and numbers, Cook said. And they were prohibited from using any personal account passwords as government logins. Also, officers now must either contact the system administrator or enter a current password to change their codes. There are no password reset questions, such as, "What is your mother's maiden name?" Cook was unsure if the department has forbidden officers from forwarding work emails to personal Web mail accounts.

He acknowledged the protective measures cannot stop a person intent on penetrating department systems. "I know it's making it more difficult," Cook said, but, "It's not going to prevent another hacking issue."

During the past year, the FBI has arrested about 20 cybercrooks aligned with Anonymous, mainly in connection with attacks on sites, such as PayPal, that stopped servicing the anti-secrets publisher WikiLeaks. Most recently, on Dec. 13, bureau officials announced that they apprehended a Connecticut member for allegedly shutting down GeneSimmons.com, the official fan page of the KISS performer.

Cook said more than 15 individuals around the world have been arrested on charges related to the Arizona crime.

Stratfor's website, which has been down since the weekend, is expected to remain offline another week for review and adjustment, Stratfor officials said.

"We are diligently investigating the extent to which subscriber information may have been obtained," Stratfor Chief Executive Officer George Friedman wrote on the company's Facebook page Sunday.

On Wednesday night, he posted an update, stating, "our investigation and coordination with law enforcement is ongoing." National Journal reported on Tuesday that the FBI is aware of the breach. Nextgov and National Journal are both owned by the Atlantic Media Co.

The FBI declined to comment.