Cyber Incident Victim: Court of Arbitration for Sport

On or around August 12, 2016, a threat actor operating under a Twitter account associated with Anonymous Poland breached servers belonging to the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport (CAS). The attacker employed SQL injection techniques using the SQLMap automation tool to compromise the systems. Following the intrusion, the hacker exfiltrated approximately 412MB of data containing 3,121 unique email accounts with corresponding passwords stored using outdated MD5 hashing algorithms, which security analysts noted could be rapidly decrypted due to the weak encryption standard. The stolen dataset also included names and personal details of website authors and contributors associated with the compromised organizations. The attacker subsequently contacted cybersecurity news outlet HackRead to provide samples of the stolen data, though no explicit motive or demands were communicated during this exchange.

Analysis by third-party firm Hacked-DB confirmed the breach methodology and data composition, verifying the presence of vulnerable password storage practices and personally identifiable information in the leaked files. The incident exposed credentials and private details of individuals affiliated with both WADA and CAS, creating immediate risks of account compromise and identity-related exploitation. No information regarding organizational detection timelines, containment procedures, or remediation efforts by either WADA or CAS was disclosed in available reporting. The attacker’s Twitter activity suggested a pattern of indiscriminate targeting rather than a focused campaign against anti-doping or sports arbitration entities specifically. Security researchers emphasized the operational significance of the SQL injection vulnerability exploitation and inadequate password protection mechanisms as enabling factors for the breach.