Skip to main content

Multiple FTP servers owned by the U.S. government were accessed by a teen hacker

exploit
Image used with permission by copyright holder
On Monday, a report surfaced claiming that a teen hacker using the alias “Fear” managed to gain access to hundreds of FTP servers owned by the U.S. government. The hacker initially gained access to one server, but then discovered that it listed the access credentials to all FTP servers residing on the .us and .gov domains. The .us servers include public data, private data, program source code, and more sensitive data, while the hacker wouldn’t say what’s loaded on the .gov sites.

FTP stands for file transfer protocol, and servers using this protocol are established to host files on local networks or via the internet. Users typically need a login name and password to gain access to content stored on these servers, which can be made public or set as private. Naturally, the government would keep its servers private, so it’s a bit scary to see that a teen managed to access one and grab the details of numerous others.

Recommended Videos

“It was very simple to gain access to the 1st box that listed all the .us domains, and their ftp server logins,” the unnamed hacker claims. “I went through each and every one, it was legit. I am pretty sure about every person who does security researching can do this, yes, it may have taken me about 3 hours or 4 hours of looking around, but it is still possible.”

Please enable Javascript to view this content

The hacker also points out that the FTP sites used absolutely no encryption on their contents despite their sensitive nature. He discovered social security numbers, credit card numbers, and even web-based banking transactions made by the First Bank of Ohio. One file contained the postal addresses, email addresses, and phone numbers of candidates for the Minnesota school board as well.

According to the report, the teen hacker managed to grab credit card numbers from the First Bank of Ohio because the government has access to that particular bank. In turn, the bank stores the sensitive numbers across several SQL tables, which is a form of Excel-like data storage within a database. Moreover, one FTP server located within Florida wasn’t even password protected. It reportedly serves up one file with 267 million records, one file with 76 million records, another one with 400 million records, and more. Since then, that specific FTP server has now become password protected (even though that may be a case of closing the barn door after the data-rich cow has gotten out).

Ultimately, the teen managed to collect credit card numbers by the thousands, and social security numbers by the millions. He even grabbed the sensitive details of state employees including their telephone numbers, names, addresses, and government positions. Apparently, the FTP sites owned by the U.S. government depend on passwords with only five characters.

The teen hacker reportedly didn’t leave any backdoors to the FTP servers save for Florida, and that backdoor was removed Sunday night. Still, the whole situation is surprising given these servers are run by the U.S. government and a single teen managed to access them and grab sensitive data.

Just imagine the damage local hackers and international terrorists could deal to Americans by breaking into these servers … if they haven’t already.

After the report went live, the federal government shut down the main .us FTP server. The story is currently ongoing, so stay tuned.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
I tested Intel’s new XeSS 2 to see if it really holds up against DLSS 3
The Intel logo on the Arc B580 graphics card.

Although it technically arrived alongside the Arc B580, Intel quickly disabled its new XeSS 2 feature shortly after it was introduced. Now, it's back via a new driver update, and with a few fixes to major crashes issues. I took XeSS 2 out for a spin with the Arc B580, which has quickly climbed up the rankings among the best graphics cards, but does XeSS 2 hold up its side of the bargain?

XeSS 2 is Intel's bid to fight back against Nvidia's wildly popular DLSS 3. The upscaling component at the core of XeSS is the same, but XeSS 2 includes both a Reflex-like latency reduction feature and, critically, frame generation. The latency reduction, called XeLL, is enabled by default with frame generation.

Read more
Windows PCs now works with the Quest 3, and I tried it out for myself
i tried windows new mixed reality link with my quest 3 alan truly sits in front of a pc and adjusts virtual screen while wear

Microsoft and Meta teamed up on a new feature that lets me use my Windows PC while wearing a Quest 3 or 3S, and it’s super easy to connect and use. I simply glance at my computer and tap a floating button to use Windows in VR on large displays only I can see.

Meta’s new Quest 3 and 3S are among the best VR headsets for standalone gaming and media consumption. When I want more performance or need to run one of the best Windows apps that aren’t yet available in VR, I can connect to a much more powerful Windows PC.
Setting up Mixed Reality Link
Scanning Microsoft's Mixed Reality Link QR code with a Meta Quest 3 Photo by Tracey Truly / Digital Trends

Read more
How to transfer your books from Goodreads to StoryGraph
Front page of a book on Onyx BOOX Go 10.3 tablet.

Goodreads has been the only game in town for Android and iOS book-tracking for a long time now, and like most monopolies, it has grown old and fat. Acquired by Amazon in 2013, avid book readers have had lots to complain about in recent years, with the service languishing unloved, with no serious updates and an aging interface. It's been due some serious competition for a long time, and lo and behold, some has arrived. StoryGraph is a book-tracking app that offers everything you'll find on Goodreads but with an algorithm that lets you know about what you might love, and adds features any bibliophile will know are essential — like a Did Not Finish list.

Read more