The Federal Bureau of Investigation InfraGard online platform, a vetted online sharing network where the bureau shares threat information with the private sector, has been hacked. All 80,000 members of the program—who have been vetted by the FBI themselves—have had their personal data dumped and put up for sale on a renowned hacker forum. InfraGard discusses cybersecurity and critical infrastructure topics with public officials and private sector contributors.
The hacker who has claimed responsibility for the attack posted samples of the database on the hacker forum. The entire database is now for sale on the black market for $50,000.
For those unfamiliar with InfraGard, “InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” according to their official datasheet.
The hacker gained access to the InfraGard platform by posing as the CEO of a financial institution. The hacker called the vetting effort “surprisingly lax”, according to Brian Krebs who broke the story.
InfraGard explains in the new member application process that vetting new members “could take months”, and yet the hacker states he or she was never contacted over the phone, and approved by email.
“If it was only the phone I will be in a bad situation” the hacker stated in the breach announcement. The hacker used the real number of the CEO they were impersonating. But, following this incident, the real CEO in question confirmed they were never contacted by the FBI.
Ironically, the account the hacker used was vetted by the FBI themselves—but reportedly only through email. A simple phone call likely would’ve blown the impersonation attempt.
InfraGard does support multi-factor authentication but can choose between an SMS or email authentication code delivery.
Once inside the InfraGard platform, the hacker was able to utilize an application programming interface (API) that is built within multiple components of the website to extract user data.
The hacker then used the newly-vetted account to reach out to existing InfraGard members.
While the hacker is asking for $50,000 for the user database, it’s unclear whether it will ever be sold or at that asking price. Members of InfraGard can optionally include work, address, phone, or personal email addresses but it is not required.
According to the Associated Press, only approximately 47,000 members in the database even include an email.
But the situation unfolding is clearly embarrassing for the FBI and its InfraGard program. It’s yet another massive leak of personally identifiable information at the hands of a mismanaged IT system.
The FBI is investigating and responding to the incident as we report.
