Cyber Incident Victim: World Anti-Doping Agency
Date:
Aug 2016
Location:
Switzerland
Summary
A cyberattack compromised the World Anti-Doping Agency's systems via SQL injection using the SQLMap tool, resulting in unauthorized access to sensitive data. The breach exposed over 3,000 user accounts with MD5-hashed passwords vulnerable to rapid decryption, alongside personal details of authors and contributors. A group identifying as Anonymous Poland claimed responsibility for the incident, sharing stolen data with cybersecurity researchers but without disclosing specific motives. Analysis confirmed the attack methodology and data exposure, highlighting weaknesses in the agency's security infrastructure. The incident underscored risks associated with outdated cryptographic practices and unpatched vulnerabilities in web applications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 12, 2016, the World Anti-Doping Agency (WADA) and the Court of Arbitration for Sport suffered a data breach involving unauthorized access to their servers. A threat actor using a Twitter account associated with Anonymous Poland contacted cybersecurity news outlet HackRead, providing a stolen data file from the agencies. The attacker utilized an SQL injection vulnerability, exploiting it with the SQLMap automation tool to extract sensitive information. Analysis by third-party firm Hacked-DB confirmed the leaked data totaled 412MB and contained 3,121 unique email accounts paired with passwords encrypted via outdated MD5 hashing—a weak algorithm susceptible to rapid decryption. The compromised records also included names and personal details of website authors and contributors. No explicit motive was declared by the attacker, though their Twitter activity suggested indiscriminate targeting of various platforms. The breach methodology indicated exploitation of unpatched web application vulnerabilities rather than advanced persistent threat tactics.
The incident exposed thousands of individuals’ credentials and personally identifiable information, creating risks of account takeover and identity theft. The use of MD5—deprecated by security professionals for years—highlighted inadequate password storage practices at the affected organizations. Forensic examination revealed no evidence of data manipulation or destruction, suggesting the attack focused solely on exfiltration. While the hacker shared data with HackRead, there was no public confirmation of wider dissemination through dark web forums or other channels at the time of reporting. Neither WADA nor the Court of Arbitration for Sport issued immediate public statements regarding containment measures, system restoration timelines, or notifications to affected users based on available information. The breach underscored persistent vulnerabilities in sports governance infrastructure despite heightened scrutiny following prior high-profile cyberattacks in the athletic domain.