FBI No Security

PUBLISHED: 1:00 PM 13 Apr 2019
UPDATED: 6:35 PM 13 Apr 2019

Hackers Infiltrate “1000” FBI Sites, Dox Thousands of Agents

The level of the possible breech is nearly fantastic… and the hackers admitted that they were able to exploit these sites because of a basic lack of security protocols that would leave any business open to a liability lawsuit.

The national investigation agency doesn't use the most basic forms of security to protect its own sites?

A hacker group posted thousands of names and the personal information of law enforcement officials and FBI agents thanks to the fact that the FBI apparently doesn’t secure its own websites as well as a dog grooming business.

Fox Business reported:

The Associated Press counted at least 1,400 unique records of employees of the FBI, Secret Service, Capital Police, and other federal agencies as well as police and sheriffs’ deputies in North Carolina and Florida.

Tech Crunch was the first to report the exploitation. One of the hackers contacted the outlet and bragged about their abilities, even directing the reporter to another FBI web site, which when accessed, showed the information that had been hacked on the homepage.

Tech Crunch outlined the actions:

A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned.

The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA.

The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server.

The hackers then put the data up for download on their own website, which we’re also not naming nor linking to given the sensitivity of the data.

The spreadsheets contained about 4,000 unique records after duplicates were removed, including member names, a mix of personal and government email addresses, job titles, phone numbers and their postal addresses. The FBINAA could not be reached for comment outside of business hours. If we hear back, we’ll update.

TechCrunch spoke to one of the hackers, who didn’t identify his or her name, through an encrypted chat late Friday.

“We hacked more than 1,000 sites,” said the hacker. “Now we are structuring all the data, and soon they will be sold. I think something else will publish from the list of hacked government sites.” We asked if the hacker was worried that the files they put up for download would put federal agents and law enforcement at risk. “Probably, yes,” the hacker said.

The hacker claimed to have “over a million data” [sic] on employees across several U.S. federal agencies and public service organizations.

It’s not uncommon for data to be stolen and sold in hacker forums and in marketplaces on the dark web, but the hackers said they would offer the data for free to show that they had something “interesting.”

Unprompted, the hacker sent a link to another FBINAA chapter website they claimed to have hacked. When we opened the page in a Tor browser session, the website had been defaced — prominently displaying a screenshot of the encrypted chat moments earlier.

The hacker — one of more than ten, they said — used public exploits, indicating that many of the websites they hit weren’t up-to-date and had outdated plugins.

In the encrypted chat, the hacker also provided evidence of other breached websites, including a subdomain belonging to manufacturing giant Foxconn.

One of the links provided did not need a username or a password but revealed the back-end to a Lotus-based webmail system containing thousands of employee records, including email addresses and phone numbers.

Their end goal: “Experience and money,” the hacker said.

The fact that the Federal Bureau of Investigation is so lax in performing the most basic security tasks is ridiculous. Is this intentional? Are they aware that any Chinese hacker could access such information and probably wouldn’t brag about it?

This is unacceptable.