Skip to main content

Ethical hacking organization hacked, website defaced with Edward Snowden's passport

Ethical hacking organization hacked, website defaced with Edward Snowden's passport

/

Passports of 60,000 US military and government IT professionals at risk

Share this story

edward-snowden-passport-hack-ecc
edward-snowden-passport-hack-ecc

The EC-Council, a US professional organization that offers a respected certification in ethical hacking, was itself hacked this weekend. Passport and photo ID details of more than 60,000 security professionals who have obtained or applied for the EC-Council's Certified Ethical Hacker certification are at risk after the breach, many of whom work in sensitive political and military positions. They include members of the US military, FBI, United Nations, and National Security Agency.

Among their number is Edward Snowden, whose passport and application email for the certification were used to deface the EC-Council's homepage, alongside the message "Defaced again? Yep, good job reusing your passwords morons." It appears applicants for the CEH qualification emailed their passport or photo ID details to the EC-Council. The self-described "certified unethical hacker" responsible for the attack reportedly used a DNS redirect to access those details, which were stored in an inadequately protected location. The hacker — who calls him- or herself Eugene Belford after the character in 1995's Hackers — said that he was "sitting on thousands of passports belonging to LE (and .mil) officials."

The hacker responsible for the attack calls themself "Eugene Belford" after the 'Hackers' character

The US Department of Defense has the EC-Council's Certified Ethical Hacker qualification as a mandatory standard for its Computer Network Defense Service Providers. According to Steve Ragan of CSO, the EC-Council's website — which is currently inaccessible — was found to have vulnerabilities to various methods of attack last year. This specific defacement is reportedly a DNS redirect, controlled by an IP that was implicated in an attack on Flash-based co-operative shooter Realm of the Mad God earlier this month.