"One thing about us wiseguys, the hustle never ends."
--Tony Soprano, season 1, episode 5 "College."
In January of this year, we blogged about a hacker site that sold admin access to several military, education and government websites. The hacker Srblche, who has renamed himself a "security researcher," put a catalog of websites vulnerable to SQL injection on a website. After our blog was published, Srblche put his website behind a paywall. It would cost about $10 to access the site's contents:
One hacking group, "d33ds," managed to hack Srblche's site, posting their hack on pastebin, explaining, "Anyone willing to pay for this service must be as stupid as he is." (For reference, d33ds is the same group that hacked RankMyHack.com.) To illustrate their hack, d33ds created a mirror site containing the catalog of vulnerable sites.
The hackers proudly revealed Srblche's administrative username and password:
How did the hack occur? It's likely, though not certain, that Srblche used shared hosting for his site and other hosted applications on the same server were vulnerable, thus allowing access to Srblche's application source files. This is how Rankmyhack was breached.
The morale of the story? First, the obvious: there's no honor among thieves. Second, and more importantly, this episode shows that everyone can get hacked: the good, the bad and those using hysterical passphrases.