The FBI cybersecurity portal was hacked and the contact information of thousands of its members was leaked on an illegal cybercrime forum.
The contact information of more than 80,000 users on the InfraGard portal is now thought to have been compromised, with hackers messaging members directly under an account posing as an FBI-vetted financial CEO.
InfraGard works with businesses to share information related to cyberattacks and other threats.
chief executive posing
The names and contact information of these members are for sale on Breached, a new cybercrime forum.
InfraGard vets its membership, which is made up of key personnel from cybersecurity firms contracted to deal with the security of state agencies such as water, utilities, transportation, healthcare and nuclear energy. The goal is to educate the FBI and companies about cybersecurity threats by exchanging information.
“This is an ongoing situation and we are unable to provide any additional information at this time,” the FBI said in response to the incident.
KrebsOnSafety (opens in a new tab) Contacted the seller on Breached who claimed they had applied for an InfraGard account under the guise of the actual CEO of a large credit company.
They used their names, Social Security numbers, email addresses (which they also claim were stolen) and phone numbers to fill out the application. The real CEO told KrebsOnSecurity they were never contacted by the FBI about the application.
While not expecting to be accepted, the hackers received an email from InfraGard in early December saying they were indeed approved.
InfraGard requires multi-factor authentication, but users can choose to receive one-time codes via email instead of SMS. If they were forced to use only the phone, the hackers said they would be frustrated because they used the CEO’s real phone number, which they do not have access to.
To actually steal the database, they claim they just exploited an API in the portal to help members connect with each other. They use a Python script to retrieve data from it, which contains information about each user.
Although the information they obtained was basic and sometimes incomplete, the hackers claim their real motive was to continue to impersonate the CEO to contact other InfraGard members, perhaps in hopes of extracting more sensitive information.
The moderator for the Breached forum is Pompompurin, who has had ties to the FBI. Last year, they exploited a vulnerability in another information-sharing portal among the agency’s local law enforcement, gaining access to mass spam from legitimate FBI email addresses and IPs.