Authorities were investigating the online posting by hackers on Saturday. The personal information of hundreds of federal agents and police officers apparently stolen from websites affiliated with alumni of the FBI’s National Academy.
Cyber Security Researchers counted at least 1,400 unique records of employees of the FBI, Secret Service, Capitol Police, U.S. Park Police and other federal agencies as well as police and sheriffs’ deputies in North Carolina and Florida. Even more disturbing is that the records included home addresses and phone numbers, emails and employers’ names.
The FBI National Academy Associates said in a statement that the information, posted late Thursday, appears to come from the websites of three local chapters of the nonprofit, which claims nearly 17,000 members nationwide and in 174 countries. It said it was working with federal authorities to investigate.
The group said its national database was unaffected. It said the three affected chapters were using third-party software but said it was too early to determine if this impacted the breach.
The said group identified and exploited flaws on three websites associated with the FBI National Academy Association (FBINAA), a group comprising graduates of a training program for U.S. law enforcement personnel based out of Marine Corps Base Quantico in Virginia, allowing them to download the contents of their web servers.
That included roughly 4,000 unique records of people including FBINAA members, as well as a mix of personal and government email addresses, job titles, phone numbers and their postal addresses. The websites in question appear to have been run by local chapters, rather than the FBI itself.
The group used publicly known exploits, which means that the websites in question were likely not up to date. The hackers provided indications that they had hacked other organizations, like Taiwanese manufacturer FoxConn. They also updated one of the FBINAA websites mid-conversation as evidence of their claims.
The hackers have posted some very sensitive information to the web, and are expected to sell more information on the dark web. That is the common procedure for hacks like this: a group of hackers will usually cast a wide net in search of vulnerable websites, break into the ones they find, gather as much information as they can, and sell that data to the highest bidder. (Or, if they’re willing to leave it up for sale, to anyone who can pay their asking price.) They basically turn secrets into money.