A massive data breach has occurred following the hacking of the servers belonging to Active Network, which processes online applications for hunting and fishing licenses in Oregon, Idaho, Kentucky, and Washington state. The hacker, calling himself “Mr. High”, claims to have acquired the personally identifiable information (PII) of those who have applied online for a fishing license or a hunting license in those states. Mr. High says that the information for each applicant includes their name, address,their date of birth (DOB), their height, weight, eye color, and the last four digits of their social security number (SSN). Some records also included email addresses and phone numbers.

While Active Network and various state agencies are saying that the data “may have been compromised” ([Page no longer available – we have linked to the archive.org version instead]), and “They’ve only been able to confirm that it was possible that personal information was accessed, We do not know yet whether or not that actually occurred, and we may not ever know,” (Idaho, as reported by the Associated Press in the Register Guard), DataBreaches.net is quoting Mr. High as saying that he accessed 2,435,452 records from Washington (including “Name, DOB, Address, DL#, Last Four Digits of SSN, Height, Weight, and Eye Color. Some have email and/or phone”), 1,195,204 records from Oregon (including “Name, DOB, Address, and DL#. Some have email and/or phone”), 788,064 from Idaho (including “Name, DOB, Address, DL#, Full SSN, Height, Weight, Hair Color, and Eye Color. Some have email and/or phone”), and 2,126,449 from Kentucky (including “Name, DOB, Address, and Last Four Digits of SSN. Some have email and/or phone”).

In addition, says DataBreaches, Mr. High posted on the AlphaBay forum (Alpha Bay is a site on the dark web which people can use to buy, sell, and trade illegal substances and data), claiming that “I just hacked four websites and reported the security holes. Two of these were government websites. All of these websites pertain to one type of activity that requires registering PI. Each website is contained to one state. I got over six million pieces of personal information from these websites. This should make the news. I’ll list the exact websites once the security hole is patched and/or it makes the news.”

In a statement updated on Friday, the [Page no longer available – we have linked to the archive.org version instead] said that the breach likely only affected those who had applied for a Washington state hunting or fishing license online prior to June, 2006, although we have been unable to verify that or to find any of the other state agencies saying that. For their part, Active Network has been been silent, and most reports of the incident say that Active Network has not responded to requests.