The U.S. defence department is investigating a cyber attack on a government contractor in which hackers claimed to have obtained 90,000 e-mail addresses and encrypted passwords of military personnel.
A Pentagon official said on Tuesday that it was looking into the breach at consulting firm Booz Allen Hamilton but lacked "concrete information".
"We don't have all the details", the official told the Financial Times on condition of anonymity. "That said, there may be some information that we can't share once we do."
The cyber-activist group called Anonymous took credit for the breach and posted the data on the Pirate Bay file-sharing site. It said that data had been taken from a poorly-protected server on the Booz Allen network and that it was "surprised" at how easy it had been to hack into a company working for the U.S. military.
Booz Allen did not return a call seeking comment. The breach is an embarrassment for the company, which has a former U.S. director of national intelligence as its head of national-security contracting.
Experts said the type of encryption used for the passwords could be broken, with the difficulty of that task determined by factors including whether numbers and special characters were required. "If they are smart, [the military]will reset the passwords", said Jerry Dixon, former director of the cyber security division of the US homeland security department.
Otherwise, hackers in control of accounts could send e-mails tricking still more defence employees into installing malicious software on their machines.
"At this stage it will be important to focus on suspicious traffic leaving the network and making sure the problems are contained while forcing the password resets", Mr. Dixon said. "This is why two-factor authentication is so important." But even two-factor techniques, such as requiring tokens with fast-changing numeric codes, are no guarantee of security.
In May, Lockheed Martin, the largest defence contractor said it had been subject to a significant attack on its IT system that included a compromise of tokens provided by RSA.
The Lockheed attack appears to have been a targeted attempt to steal intellectual property or defence secrets, while Anonymous says it hacks companies in order to publicize their security flaws. In a tongue-in-cheek move, the hackers posted an invoice for $310 to Booz Allen Hamilton on the Pirate Bay site for their "audit" of the security system.