Anonymous Breach of Stratfor Exposed Customer Data and Millions of Internal Emails
Anonymous-affiliated attackers breached private intelligence firm Stratfor, stealing subscriber records, payment data, and a vast archive of internal correspondence. Reporting on the intrusion said the attackers accessed administrative systems, expanded into databases and mail servers, and exfiltrated data affecting about 860,000 user accounts and more than 60,000 credit cards; some reports said card numbers were stored in plaintext, while passwords were protected with weak unsalted MD5 hashes. The attackers defaced Stratfor’s website, deleted server contents, published stolen card data, and used some of the payment information for fraudulent charitable donations, contributing to losses that reports put at at least $700,000 and broader damages of roughly $2 million.
The breach escalated when WikiLeaks began publishing roughly 5 million Stratfor emails, exposing the firm’s client relationships, source-handling practices, monitoring of activist groups, and sensitive geopolitical claims contained in internal messages. Subsequent reporting said the FBI had visibility into parts of the operation through informant Hector Xavier Monsegur ("Sabu") and later built its case against alleged participant Jeremy Hammond, while Stratfor faced delayed customer notification and legal fallout. Years later, researchers also warned that some documents in the leaked Stratfor archive contained live malware, including files exploiting CVE-2010-3333, creating additional risk for journalists and researchers who downloaded the material.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Researchers find live malware in WikiLeaks' Stratfor email archive
In July 2015, researchers warned that documents in WikiLeaks' searchable Stratfor archive still contained malicious attachments, including files exploiting older Microsoft Office vulnerabilities such as CVE-2010-3333. They advised journalists and researchers to handle the leaked files cautiously and in isolated environments.
Have I Been Pwned adds the Stratfor breach
Have I Been Pwned cataloged the Stratfor breach in March 2026, summarizing the December 2011 attack and the exposed data types, including email addresses, internal system data, time zones, and unsalted MD5 password hashes. The listing also noted the theft of credit card data and its fraudulent use.
Class-action lawsuit follows the Stratfor breach
After the compromise and delayed notifications, Stratfor faced a class-action lawsuit from affected customers. Reporting also said the company estimated roughly $2 million in damages and lost revenue from the incident.
Public reporting details scope and mechanics of the Stratfor hack
In early March 2012, court filings and investigative reporting described how Jeremy Hammond and other Antisec members allegedly accessed Stratfor through an admin panel, moved into databases and mail servers, and stole more than 60,000 payment cards and extensive email archives. The reports also said four servers were wiped and 30,000 card numbers were published.
Stratfor publicly downplays significance of the email leak
As WikiLeaks began publishing the emails, Stratfor CEO George Friedman said the disclosures were being overstated and denied wrongdoing, while also suggesting some messages might have been altered. The company framed the leak as embarrassing but not proof of criminal conduct.
WikiLeaks begins publishing stolen Stratfor emails
In late February 2012, WikiLeaks started releasing about five million emails taken from Stratfor, exposing internal correspondence, source-handling practices, and client-related intelligence work. The publication was described as a partnership with Anonymous.
Stratfor delays customer notification at FBI request
Following the breach, Stratfor postponed notifying affected customers because of an FBI request tied to the ongoing investigation. The delay later became part of the public controversy and subsequent litigation around the incident.
Attackers publish stolen Stratfor customer data and use cards fraudulently
By late December 2011, the attackers had released stolen subscriber information, including email addresses, passwords, and credit card details, and used some of the cards for unauthorized charitable donations and other purchases. Reports put fraudulent charges at at least $700,000.
Anonymous breaches Stratfor during Christmas holiday
In late December 2011, attackers linked to Anonymous/Antisec compromised Stratfor's systems, defaced its website, and gained access to customer data, internal systems, and large volumes of email. Reporting indicates the intrusion exposed roughly 860,000 user accounts and tens of thousands of payment cards.
FBI learns of the Stratfor intrusion and begins monitoring via Sabu
After learning of the breach on December 6, 2011, the FBI used informant Hector Xavier Monsegur ("Sabu") to monitor the attackers, collect evidence, and receive stolen data transferred to FBI-controlled systems. The bureau later said the compromise was already well underway when it acted.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
Have I Been Pwned: Stratfor Data Breach
haveibeenpwned.com
Open sourceWicked WikiLeaks leaks considered harmful: Alert over malware lurking in dumped docs
theregister.com
Open sourceInside the Stratfor Attack - NYTimes.com
web.archive.org
Open sourceLulzSec court papers reveal extensive FBI co-operation with hackers | LulzSec | The Guardian
theguardian.com
Open sourceIsrael, Kurdish Fighters Destroyed Iran Nuclear Facility, Email Released by WikiLeaks Claims - Haaretz Com
haaretz.com
Open sourceGI Files -
wikileaks.org
Open sourceQuestions About Motives Behind Stratfor Hack - The New York Times
bits.blogs.nytimes.com
Open sourceMalware discovered in the Stratfor email file dump provided by Wikileaks is not limited to torrents - curated content on the Wikileaks website also infected
joshwieder.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Anonymous Breached HBGary After CEO Claimed He Identified Members
Anonymous-affiliated attackers breached **HBGary Federal** after CEO **Aaron Barr** publicly claimed he had identified key members of the collective and was preparing to share findings with the FBI. The intrusion reportedly combined website exploitation, password reuse, and social engineering, leading to the defacement of HBGary systems, takeover of Barr’s Twitter account, theft of more than **50,000 emails**, and exposure of company financial and internal documents. Reporting on the operation described participants from AnonOps and highlighted disputed claims around a hacker using the alias **"Kayla"**, while leaked IRC logs later portrayed Anonymous as more coordinated than its public image suggested, with figures such as **Sabu** directing activity and discussing the HBGary attack. The leaked HBGary emails triggered wider fallout by exposing proposals tied to campaigns against **WikiLeaks** and critics, including plans reportedly prepared for clients connected to **Bank of America** and a law firm, and renewed scrutiny of the firm’s ties to federal agencies. Subsequent reporting said former Anonymous supporters provided chat logs and alleged identities to investigators, and later arrests brought the hacking saga closer to a conclusion. The episode became a defining early example of hacktivist retaliation escalating into a major corporate breach, reputational crisis, and law-enforcement investigation.
May 26, 2026
Anonymous Leak of Epik Data Exposed Far-Right Sites and Federal Records
Hacktivists claiming to be **Anonymous** said they breached web host and domain registrar **Epik**, a provider used by sites including **Gab**, **Parler**, **QAlerts**, and other far-right platforms, and released what they described as roughly a decade of internal and customer data. Reports said the dump included domain registration and transfer records, account credentials, emails, payment history, employee mailbox contents, and more than **500,000 private keys**, affecting data tied to more than **15 million people and websites**. Epik CEO **Rob Monster** initially downplayed the incident, then later acknowledged in a public video session that company backup data appeared to have been compromised and said information from the breach was allegedly used in an attempt to target his Coinbase account. Subsequent reporting said the leaked records exposed internal support tickets, subpoenas, and preservation requests for customer information, including requests that appeared linked to investigations after the **Jan. 6 Capitol riot** and at least one FBI request tied to a domain allegedly connected to malware used in the **SolarWinds** intrusion. The data also reportedly helped trace efforts by figures such as **Ali Alexander** to obscure domain ownership and digital infrastructure, while additional releases expanded scrutiny of how hosting and registrar services supported extremist networks online. The breach became one of the most consequential hacktivist leaks involving internet infrastructure providers because it revealed both customer identities and sensitive law-enforcement-related records.
May 25, 2026
High-Profile Cyber Incidents Expose Weak Security and Disrupt Critical Services
A series of high-profile cyber incidents disrupted major online platforms, exposed weak security practices, and highlighted the broad impact of both criminal and activist hacking. A global ransomware outbreak later identified as **WannaCry** spread rapidly across organizations before a security researcher slowed it by registering a domain used as a kill switch, while a separate attack briefly knocked major websites offline through distributed denial-of-service activity. In another major case, hackers compromised prominent US Twitter accounts and used them to promote a Bitcoin scam, demonstrating how access to trusted platforms can be weaponized at scale. Other incidents underscored persistent failures in account security and access control. Equifax faced scrutiny after an Argentine employee portal was reportedly protected with the username and password **`admin`**, adding to concerns around the company’s security posture. Apple said some user accounts had been compromised while denying a broader breach of its systems, and the celebrity photo leak known as **“the fappening”** showed how attackers could exploit personal account weaknesses. Separately, US authorities linked Julian Assange to alleged conspiracy with Anonymous-affiliated hackers, activist campaigns targeted recording industry websites, and the Colonial Pipeline ransomware case showed how an intrusion into a critical fuel operator could trigger widespread operational disruption even when attackers later claimed they had not intended such consequences.
May 25, 2026