Anatomy of a Breach

Anatomy of a Breach: HBGary Federal — The Security Firm That Poked Anonymous and Got Burned

> series: anatomy_of_a_breach —— part: 025 —— target: hbgary_federal —— attacker: anonymous —— emails_leaked: 71,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2011 13 min read
data-breach hbgary anonymous hacktivism sql-injection social-engineering email-leak series
Breach #025

A security firm boasted it had unmasked Anonymous. Anonymous disagreed.

In early February 2011, Aaron Barr, CEO of security firm HBGary Federal, told the Financial Times that he had used social media analysis to identify the leaders of hacktivist collective Anonymous and planned to present his findings to the FBI. Within hours of the article's publication, Anonymous demonstrated exactly why threatening to unmask a decentralised hacking collective is an exceptionally poor business decision.

Anonymous compromised HBGary Federal's website via a SQL injection vulnerability in its custom CMS, used password reuse to pivot into Aaron Barr's email account and social media, and ultimately leaked 71,000 internal company emails. They defaced the website, took over the company's Twitter account, and remotely wiped Barr's iPad. The leaked emails exposed embarrassing details including proposals to use disinformation campaigns against WikiLeaks supporters, plans to attack journalists, and details of contracts with government agencies. Barr resigned within weeks. HBGary Federal's parent company was eventually sold. The security firm that had claimed to be expert enough to unmask Anonymous could not protect its own email server from a SQL injection.

How It Happened
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

SQL injection, password reuse, and hubris.

The attack chain was remarkably straightforward — and remarkably effective. It exploited the same vulnerability classes we have documented throughout this series, combined with the social engineering and persistence that Anonymous brought to ideologically motivated attacks.

Step Technique What It Exploited
1 SQL injection against the HBGary Federal CMS A custom-built content management system with an unpatched SQL injection vulnerability. A web application penetration test would have found this in hours.
2 Password hash extraction and cracking MD5-hashed passwords with no salting. Aaron Barr's password was cracked quickly, revealing a weak password that he reused across multiple services. Our password cracking article demonstrates exactly this technique.
3 Credential reuse pivot Barr's cracked password was used to access his personal email, Twitter, and LinkedIn — all using the same password. From his email, Anonymous found credentials for additional HBGary systems.
4 Social engineering of HBGary's IT administrator Using Barr's compromised email, Anonymous social-engineered a system administrator into providing root SSH access to HBGary's Linux servers — by impersonating Barr in an email requesting 'urgent' access.
5 Full compromise and data exfiltration With root access, Anonymous downloaded the entire email archive (71,000 emails), defaced the website, wiped systems, and took control of social media accounts.
The Irony

A security firm undone by basic security failures.

SQL Injection — Again
HBGary Federal's website was compromised through SQL injection — the same vulnerability that powered Gonzalez's 174-million-card theft. A security company's own website, vulnerable to the number one item on the OWASP Top 10. Our <a href="/penetration-testing/web-application">web application testing</a> finds SQL injection in the websites of organisations that should know better — and HBGary proved that even security firms are not immune.
MD5 Passwords, No Salting, Password Reuse
The CEO of a security firm used a weak password, stored as an unsalted MD5 hash, and reused it across personal and professional accounts. Every one of these failures is a basic security hygiene issue that <a href="/cyber-essentials">Cyber Essentials</a> addresses. Multi-factor authentication — now a Danzell auto-fail criterion — would have prevented the credential reuse pivot entirely.
Social Engineering of IT Staff
An email from the CEO requesting urgent SSH access was not questioned, not verified through a second channel, and resulted in root credentials being handed to an attacker. Social engineering assessments — part of our <a href="/penetration-testing/social-engineering">penetration testing services</a> — test exactly this scenario.
The Provocation Factor
Barr's public threat to unmask Anonymous turned what would have been an obscure security firm into a high-priority target for one of the most active hacktivist groups in the world. Threat intelligence — understanding who might target you and why — is a critical component of security strategy. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence service</a> helps organisations understand their threat landscape before they become targets.
Lessons

Nobody is too expert to be hacked.

The HBGary breach is the ultimate reminder that expertise does not confer immunity. A security firm — staffed by people who understood cyber threats professionally — was compromised through the most basic, well-documented vulnerabilities. The lesson for every organisation is that knowing about security is not the same as implementing it. Policies, knowledge, and awareness are necessary but not sufficient — only tested, verified, technically enforced controls actually protect you.

Our penetration testing verifies that controls work — not that they exist on paper. Cyber Essentials certification requires evidence of implementation, not just documentation. SOC in a Box monitors continuously for the anomalous access patterns that indicate compromise. Because if a security firm cannot protect itself from SQL injection and password reuse, the question for every organisation is not whether your defences are theoretically sound — but whether they have been tested.

Test Your Defences

If a security firm can be hacked through SQL injection, can you?

Our <a href="/penetration-testing/web-application">web application testing</a> finds the SQL injections. Our <a href="/blog/from-the-hacker-desk-cracking-passwords-afternoon">password assessments</a> crack the hashes. Our <a href="/penetration-testing/social-engineering">social engineering tests</a> test your staff. Because HBGary proved that claiming to be secure is not the same as being secure.

Commission a Penetration Test Next: RSA SecurID Breach
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2010

Anatomy of a Breach: ACS:Law — When Anonymous Took Down a Copyright Troll

Breach #021. In September 2010, hacktivist collective Anonymous launched a DDoS attack against ACS:Law, a controversial UK law firm that sent threatening letters to alleged file-sharers demanding settlement payments. When the firm's website came back online, an unprotected backup of the entire email server was briefly accessible — exposing the personal details of thousands of people accused of illegal downloading, including sensitive content preferences. The ICO fined the firm £1,000 — the maximum available at the time — and ACS:Law was subsequently struck off.

data-breach acs-law
12 min read
Anatomy of a Breach 30 September 2021

Anatomy of a Breach: Epik — 180GB of Domain Registrar Data Including WHOIS Privacy Records

Breach #153. In September 2021, hacktivist collective Anonymous breached Epik — a domain registrar and web hosting company — and published approximately 180GB of data including the company's entire customer database, domain purchase and transfer records, WHOIS privacy data, login credentials, employee emails, and internal system configurations. The breach was particularly significant because Epik offered WHOIS privacy protection — meaning customers who had paid to keep their domain registration details private had those details exposed. The data spanned over a decade of records and affected millions of domain registrations.

data-breach epik
12 min read
Anatomy of a Breach 30 June 2011

Anatomy of a Breach: LulzSec — 50 Days of Chaos from the NHS to the CIA

Breach #030. Between May and June 2011, a small hacktivist group calling itself Lulz Security — LulzSec — conducted a 50-day rampage that targeted Sony, PBS, the US Senate, the CIA, the NHS, the UK's Serious Organised Crime Agency (SOCA), and dozens of other organisations. Their stated motivation was simply 'for the lulz' — for laughs. The campaign demonstrated that a handful of skilled individuals could embarrass governments, corporations, and law enforcement agencies worldwide using basic, well-known attack techniques.

data-breach lulzsec
14 min read
All Posts Get in Touch