The pursuit of hackers who audaciously stole and published credit reports for Michelle Obama, the attorney general, FBI director and other U.S. politicians and celebrities crisscrossed continents and included a San Francisco-based Internet company, Cloudflare, The Associated Press has learned.
The sensational crime caught the attention of Congress and President Barack Obama, who said "we should not be surprised."
Obama said he could not confirm that the first lady's credit report was published earlier this week on a Russian website, along with what appeared to be the credit reports of nearly two dozen others, including Republican presidential candidate Mitt Romney, Donald Trump and celebrities Britney Spears, Jay Z, Beyonce and Tiger Woods.
If accurate as widely suspected, the leaked records put each victim at significant risk of identity theft. Included in the reports are Social Security numbers, dates of birth and a list of previous home addresses. The records also include such personal information as the first lady's monthly payments on a student loan 10 years ago and that she once held a Banana Republic credit card.
The president said determined hackers are a persistent threat.
"We should not be surprised that if you've got hackers who want to dig in and devote a lot of resources, that they can access people's private information," Obama told ABC News in an interview aired Wednesday. "It is a big problem."
Obama added: "It would not shock me if some information among people who presumably have pretty good safeguards against it, still gets out. That's part of the reason why we've got to continually improve what we do and coordinate between public and private sectors to make sure that people's information is safe."
On Capitol Hill, the chairman of the House Judiciary Committee cited the breach Wednesday at a congressional hearing about the government prosecuting hackers. Rep. Bob Goodlatte, R-Va., said the leaks of financial information was "just the beginning of the problem" when it comes to the vulnerability of U.S. computer networks. Goodlatte said the U.S. has billions of dollars at stake, as foreign hackers try to steal sensitive information from businesses.
A spokesman for one of the largest U.S. credit bureaus, Tim Klein of Equifax, said an initial investigation showed that hackers used a website designed to give consumers a free credit report. The hackers apparently used personal details about their victims to impersonate them and generate the credit reports.
Representatives for Experian, Equifax and TransUnion have all said they were cooperating with the U.S. criminal investigation being conducted by the FBI and Secret Service.
A retired FBI executive assistant director, Shawn Henry, said he hopes the incident sheds light on the scope of the cybersecurity problem and identity theft in particular, which affects millions of Americans who aren't famous enough to make headlines.
In San Francisco, Cloudflare operates the directory computers, known as name servers, used behind the scenes to send visitors to the Russian website where the stolen credit reports were being published, according to Internet registration records. Without that service, few Internet users would be able to visit the Russian website or view the stolen credit reports.
A company spokeswoman, Carol Carrubba, told the AP that Cloudflare, which she described as a performance and security company, doesn't comment on its customers. But Carrubba said: "Even if we delete a customer's account, the content remains in place, although the site may load more slowly."
Internet directories on Wednesday continued to identify Cloudflare as directing traffic to the Russian website, although any technical changes could take hours or days to update across the Internet.
Last month, the chief executive at Cloudflare, Matthew Prince, said in a speech that he had been victimized last year by hackers associated with the group UGNazi. They tricked Google into giving them access to his Gmail account, Prince said, and left voicemails taunting him that they had bought his Social Security number from an underground Russian website. Prince said the break-in of his personal email account also allowed the hackers to take over Cloudflare's corporate email systems.
Social Security numbers posted on Jay-Z, Mel Gibson and others matched records in public databases. Social Security numbers are not public records, although they are included in some court filings. Many courts require the information be redacted from filings since the numbers can be used to steal a person's identity and open credit accounts in their name.
Steps to take if you've been hacked
Call your bank and/or credit agencies • Banks can review and, most likely, halt any transactions made by another person.
Get a copy of your credit report • It's free and gives you quick access to any accounts open in your name. You can also set up a free three-month fraud alert at one of the three major credit agencies Experian, Equifax and TransUnion. It requires any creditor to contact you by phone when a request to issue credit is made.
Scan and update your computer • Perform an antivirus scan to ensure there's no malware or other virus. Make sure your computer is running the latest version of its operating system.
Reset passwords • If you discover a social-network account has been hacked, request a password reset immediately. You'll get an e-mail with a link.
Make passwords as complex as possible • Use letters, numbers and symbols when creating a password, and use different passwords for different sites.
Stay vigilant • No one is immune to hacking, but responding quickly to an incident can make the experience less stressful.