Email addresses and passwords of 6,700 civil servants and private-sector staff published online

9 Jul 2012

An online document on a hacker’s forum seen by Siliconrepublic.com contains what appears to be the email addresses and passwords of government and private-sector workers, including members of the Revenue Commissioners, Bank of Ireland Life, IBM, AIB, and Irish Rail, as well as thousands of Gmail and Hotmail users.

The list, which sits on a prominent hacker forum, was discovered last week by Tom O’Connor of hosting provider Databackup.ie.

O’Connor said, however, that he has had problems trying to submit the sensitive information to Ireland’s police force, An Garda Síochána.

The live list, seen by Siliconrepublic.com but not published or linked to from here for obvious security and legal reasons, looks like it has been diligently and deliberately compiled.

One of the worrying aspects of the list is the generic nature of many of the passwords, which include the names of towns or professional activities such as “nursing.” There is no telling at this stage if the passwords are current or old but one of the biggest security problems with email is the lax approach most users take to changing passwords regularly.

“Whomever compiled this list had access to the high end off an ISP network, from what I can tell,” O’Connor told Siliconrepublic.com.

“While it does look like they were running a packetsniffer, the high-level nature of some of the addresses looks like it was deliberately compiled. It looks as if it was compiled from behind a firewall on a broadband network,” O’Connor added, suggesting a potential inside job.

Given the runaround

However, since discovering the list while he was searching for an email address using a simple Google search, O’Connor said he has had trouble getting the gardaí computer crime squad to do something about it.

He tried to ring the Computer Crime Squad but was dispatched to the Fraud Squad who said they could not do anything about it unless he filed a report at an actual garda station.

When he tried to file a report at an actual garda station, it was suggested he ring the Fraud Squad.

“This was Friday. They don’t seem to have a 24-hour service but seem to work 9-5. This list is still sitting there and anybody can start targeting the Revenue Commissioners or the HSE,” O’Connor warned.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com