A recent report reveals that political news outlet Infowars was breached, spilling the details of thousands of users that’s now in circulation in the digital underground. The breach stems from the site’s Prison Planet TV portion that provides videos like founder Alex Jones’ latest broadcast, the Infowars Nightly News, and more. The leaked database seems to have been around since 2014.
The report derives from Motherboard, which recently received a copy of the Infowars database from Databases.Land. In a report provided on Monday, the site states that this database contains the email addresses, usernames, and “poorly hashed” passwords of 100,223 registered Infowars users. However, Vigilante.PW has the database stored as well, and only lists 49,933 records, indicating that the former copy is full of duplicates. Yet despite the 2014 dump date, the listing was last updated on Monday.
To validate the database dump, Motherboard went to the sign-up page on Prison Planet TV and tested 20 random email addresses and their linked usernames. Motherboard discovered that 19 of those records were already linked to Prison Planet TV accounts, and the last remaining record showed that the username was registered, but not the email address. Motherboard then contacted the owners of two verified accounts to confirm that they were indeed signed up for Prison Planet TV on the Infowars site.
What’s alarming about this report, other than the fact that the database was leaked two years ago, is that the passwords were secured with the MD5 algorithm. This isn’t the ideal method for scrambling a password, as it’s been around since 1991 and is known to have a tremendous amount of vulnerabilities. The United States government won’t it, and even the CMU Software Engineering Institute said back in 2010 that MD5 was “cryptographically broken.”
That said, Motherboard says that it was able to utilize a free online tool to successfully obtain the passwords for a number of the Prison Planet TV accounts. As for the entire database, the site believes that an SQL-injection web attack was used to grab the data given that it’s all stored in a SQL format file. An SQL-injection attack means that the hacker can insert an SQL-based command in an entry filed to tell the SQL database to cough up all of its contents into a downloadable file.
If you’re not familiar with Infowars or Prison Planet TV, they focus on current political topics, global government issues, and so on. Topics of today include Trump recruiting an army of “observers” to prevent a “rigged” election, and the Huffington Post banning a journalist for writing about Hillary Clinton’s health. Infowars founder Alex Jones is also known for his controversial viewpoints about the 9/11 attacks, the Oklahoma City bombing, and the U.S.-based landings on the Moon (or rather a lack thereof).
What’s ultimately surprising is that a website focused on reporting the “truth” to the American people is securing user passwords with a very old and buggy algorithm. As always, web surfers should use a unique password for every service they use online, as you never know what site still relies on ineffective security technologies. It’s good practice anyway, and there are plenty of free tools web surfers can use to keep track of them all.