Tens of thousands of subscriber accounts for media company Infowars are being traded in the digital Deep Web.
Infowars, created by famed radio host and conspiracy theorist Alex Jones, produces radio, documentaries and written pieces. The dumped data relates to Prison Planet TV, which gives paying subscribers access to a variety of Infowars content. The data includes email addresses, usernames, and poorly hashed passwords.
The administrator of breach notification site Databases.Land provided a copy of 100,223 records to Motherboard for verification purposes. However, every record appears to have been included twice in the data, making the actual number of user accounts closer to 50,000. Buckley Hamman from Infowars told Motherboard in an email that, "We have cross referenced the current dump versus our current db and it is data from an old breach that happened in 2012 and was dealt with at that time."
Motherboard tested 20 random email addresses and their corresponding usernames on the signup page for Prison Planet TV. Of those, 19 were already linked to accounts on the site, and although one email address wasn't registered, its username was.
At the time of writing, two victims in the dump reached by Motherboard confirmed that they had signed up to Infowars/PrisonPlanet.
The passwords are hashed with the notoriously weak MD5 algorithm, meaning they should be trivial for hackers to crack. Indeed, Motherboard successfully obtained the actual password for a number of users with a free online service.
The user accounts are in a SQL format file, implying that the data may have been obtained via SQL-injection, an ancient and yet often still effective type of web attack. (However, exactly how the data was stolen from the site is not confirmed).
The lesson: Users can never really be sure how a website is going to store their passwords. Instead of gambling, and just hoping that they've been hashed appropriately, users should make sure to sign up to different services with unique passwords. That way, when one site is hacked and its hashes cracked, the damage will be largely limited to that one site.