A Romanian hacker has been on a spree of what he calls “Light Hacktivism,” targeting 32 websites and dumping their data onto the web. The hacker, going by the name “GhostShell,” has been targeting government, educational, medical, industrial, and even personal websites, all of which held sensitive information vulnerable on open FTP ports, and according to him, this is not the end.

Who’s behind it

GhostShell, a former member of Anonymous and MalSec who revealed his identity as Razvan Eugen Gheorghe (in hopes of gaining a “white hat” job in cyber security), has described his hacking spree as a means of “raising awareness on the on-going open FTP directories,” stating that leaving ports open and unprotected poses a big security risk that many are ignoring. According to Computerworld, he’s leaked some recently expired credit card information to show that he is fully capable of exposing more dangerous financial information should he so choose.

Softpedia reports that GhostShell could obtain information such as usernames, passwords, and even personal identities through open ports, and even access entire servers through their vulnerabilities. The information obtained could be used for a wide range of malicious activities, such as identity theft, credit card fraud, or even just selling to advertisers. However, that does not appear to be the hacker’s goal.

In fact, much of the data leaked has been censored, such as medical information. That does not mean that the entire leak is harmless, though, since accounts and personal information are still available, and can be used by anyone who has viewed the leaks.

Who’s been hit

The data breach targeted multiple sites, including university websites and government sites. The entire list of struck sites can be seen below:

“norid-gt.meximas.com
www.personal.psu.edu
www.kwsrq.com
bugs.glendale.edu
cosmo001.sakura.ne.jp
fcvb.org
eliza.newhaven.edu
users.telenet.be/orandago
apacheco.itch.edu.mx
bart.stuy.edu
topcat.cs.umb.edu
www.cse.msu.edu
cvnmedical.com
mgcc.ae
isu.indstate.edu
fwpcresidential.com
consulta.telecom.cide.edu
www.crulogistics.com
www.pennsylvaniadbe.com
www.mspp.gouv.ht
www.cs.trinity.edu
db.ucsd.edu
www.calagquest.com
www.topsfield-ma.gov
www.montecarlo.org.uk
cs.calvin.edu
mmclarke.ischool.syr.edu
folk.uio.no
www.yourhonorsociety.com
bio.ijs.si
svn.eiffel.com
www.webpagedesign.1colony.com”

The damages

Well intentioned or not, these hacks can have serious consequences for its victims. If any of the above URLs are familiar to you, check your account, check haveibeenpwned.com to see if your information was leaked, and begin changing your passwords immediately. And if your website uses open FTP ports, Dark Reading notes that GhostShell has threatened more leaks will be coming soon, so make sure that your security is up to date.

Photo by William Christiansen