I believe them, look at the billions thrown at HealthCare.gov and it is still vulnerable. There are scores of .mil websites floating around that an experienced hacker group could gain access to.
Via The Hill:
The Islamic State in Iraq and Syria (ISIS)-affiliated hacking group taking credit for posting a hit list of 100 U.S. service members claims it has access to numerous U.S. military domains.
The comments came via an electronic chat with Motherboard and were made in response to Monday’s Daily Beast story, which showed the hackers could have created most of their list by Googling self-promotional Defense Department websites.
“l0l” the person told Motherboard after reading The Daily Beast article. “Clearly whoever wrote that didn’t read the leak.”
The hacker, who claimed to represent the Islamic State Hacking Division (ISHD), said he had scanned .mil domains and discovered “many of them” use outdated content management systems (CMS), which is how website managers update the site’s content.
The old systems contained flaws in the code that allowed ISHD to gain access to the sites’ servers, which had the names of the service members that were posted to the hit list.
The hacker declined to provide any proof, though, saying he didn’t want to lose access to the sites.
He did acknowledge using Google to determine which of the names from his list were pilots who had bombed ISIS targets.
“[I] found a bunch of names because the US media and military have big egos and like to brag and show off, then i searched the names in my compiled list, some where in the list and some wasn’t [sic],” he said.