Debbie Crowell never ordered the iPhone, but thanks to a hacking group known as Lulzsec, she spent a good part of her Thursday morning trying to get $712 in charges reversed after someone broke into her Amazon account and ordered it.
"They even had me pay for one-day shipping," she said via email Thursday afternoon.
[ This week LulzSec claimed to have hacked the CIA's website. | InfoWorld's Robert X. Cringely says dial 'h' for 'hacker': LulzSec is the future of the Net. | Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]
Crowell is one of more than 62,000 people who must now change passwords and keep a close eye on their online accounts after Lulzsec posted their email addresses and passwords to the Internet Thursday. It's the latest escalation in a messy hacking rampage by the anarchic group that's caused damage at Sony, the U.S. Public Broadcasting Service and even the U.S. Central Intelligence Agency.
It's not clear where all of the Lulzsec email addresses and passwords came from. At least 12,000 of them, including Crowell's, were gathered from Writerspace.com, a discussion forum for readers and writers of mystery and romance novels. The site's technical staff is trying to figure out how they were stolen and is in the process of contacting victims, said Writerspace owner Cissy Hartley.
The 62,000 email addresses and passwords belong to victims at large companies such as IBM, as well as in state and federal government. Affected agencies include the U.S. Army, Navy and Air Force, the U.S. Federal Communications Commission, the U.S. National Highway Traffic Safety Administration, the U.S. Department of Veterans Affairs and the U.S. Coast Guard.
Unlike other hacking groups, Lulzsec doesn't seem to have much of an agenda, except to settle a few scores and cause as much chaos as possible. Lulz is hacker speak for the plural of "laugh out loud."
Soon after the accounts were posted Thursday, Lulzsec followers started to say, via Twitter, that they had accessed Facebook, Twitter and online gaming accounts. "I am now an level 85 human warrior on mal'ganis server," wrote one follower, called Miracle Joe, referring to a server used by World of Warcraft gamers.
"Got an Xbox Live, Paypal, Facebook, Twitter, YouTube THE WHOLE LOT! J-J-J-J-J-J-JACKPOT," wrote another follower, Niall Perks. The "idiot had the same password for everything," he later explained.
Others claimed that they'd chatted with friends of the victims or posted obscene photos or messages to their profile pages.
Crowell, a property assessment specialist with the Wisconsin Department of Revenue in Milwaukee, describes herself as a "boring old lady on the Internet." Though she knew better, she reused her passwords, including the one she used at both Amazon and Writerspace.com. "Everyone knows that everyone uses the same password for everything," she said. "You know what you're supposed to do, but do you do it?"