FBI Just Got Hacked

Background

As there webstie says, “InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure. Through seamless collaboration, InfraGard connects owners and operators within critical infrastructure to the FBI, to provide education, information sharing, networking, and workshops on emerging technologies and threats. InfraGard’s membership includes: business executives, entrepreneurs, lawyers, security personnel, military and government officials, IT professionals, academia and state and local law enforcement—all dedicated to contributing industry-specific insight and advancing national security.”

December 13, 2022

Brian Krebs, a security researcher, reported that InfraGard’s database of over 80,000 members was for sale on a cybercrime forum. The hacker provided sample data containing a variety of InfraGard members’ personal information, such as:

  • Full names
  • Email addresses
  • Employment details
  • Industry of employment
  • Social media USERIDs and more

Are FBI’s networks this weak?

Krebs contacted the hacker and learned that the hacker used the name, date of birth, and social security number of a CEO who was an eligible candidate for InfraGard membership. The application process for InfraGard usually takes around 3 months; however, this hacker’s application took significantly less time than the usual 3 months. Because InfraGard’s system allows members to choose between one-time code activation via email or SMS and MFA, hackers’ jobs became easier because they could access the program’s user data via an Application Programming Interface (API). The Hacker then wrote a Python script to retrieve all of the data from the API.

Scale of the Breach

While this hack poses a serious and significant risk to InfraGard members, it was discovered that nearly half of the account details did not contain email addresses, Social Security numbers, or dates of birth, leaving most records empty.

Conclusion

Even in this day and age, when cybersecurity is frequently discussed, a major organisation was breached via an API. This should serve as a wake-up call to civilians about how inadequate they are in terms of online safety and security.

that’s it ✌🏽


LET’S WORK TOGETHER