The website of political news outlet Infowars has been hacked, with details of account holders being offered for sale on the dark web.

The hacked data being offered up is said to have come directly from Prison Planet TV, a service offered by Infowars that gives users access to a variety of additional content, and includes email addresses, usernames, and poorly hashed passwords.

To confirm the hack, an administrator from breach notification site Databases.Land shared 50,000 stolen InfoWars accounts with MotherBoard, who then contacted a number of users in the list to check whether their details were legitimate, along with visiting the sign-up page on Prison Planet TV and testing 20 random email addresses and their linked usernames. Both tests showed the data was legitimate.

How up to date the data is, however, is not clearly known; Infowars claims the data was from a breach in 2012, while a report from Yahoo! News puts the date at 2014.

Access to the data is believed to have occurred through an SQL-injection web attack, an injection attack wherein an attacker can execute malicious SQL statements (a malicious payload) to control a web application’s database server and the obtain information from the database therein.

Poor security

To make matters worse for those affected in the attack, Infowars was found to only be using MD5 encryption on passwords, an encryption standard first invented in 1991 that is well known to have a “tremendous amount of vulnerabilities,” that has been described as being “cryptographically broken.”

Interestingly, Motherboard was able to decrypt a number of passwords in the stolen database using a free online tool.

Infowars has, not surprisingly, gone on the offensive following the news, not so much as being apologetic on the hack but actually attacking mainstream media for recycling a hacking story from 2012.

“Infowars has investigated and examined the latest dump and determined that the information comes from the 2012 incident. At the time of that breach, Infowars notified users, reset passwords and took numerous steps to harden our systems to prevent further attacks,” the site notes in a blog post.

“Why news outlets are now choosing to report on this hack, which has been publicly known for years, remains to be seen.”

Infowars added that they were resetting user passwords as a security measure none the less, which is strange behavior for a hack that apparently took place four years ago.

Image credit: donkeyhotey/Flickr/CC by 2.0