Apparently, all it took to access 16 internal databases used by federal agencies was a username and password.
Internet security blogger Brian Krebs reported Thursday that hackers had accessed more than a dozen U.S. law enforcement agency portals under the Department of Justice, including those used by the Drug Enforcement Agency and FBI. Krebs was tipped off that hackers were reportedly able to infiltrate the network through a DEA system containing information and analytics useful for ongoing investigations.
The hacker apparently gained access to the databases May 8 through the DEA’s EPIC System portal, which is distinct from the esp.usdoj.gov portal that requires much more strict government authentication. Krebs wrote that the EPIC system apparently only requires a username and password without even a request for two-step authentication.
The tipster shared with Krebs several screenshots of ownership records for things like guns, vehicles, and drones. That data could be very useful to national or international criminal groups, according to UC Berkeley computer science researcher Nicholas Weaver, who told Krebs “I don’t think these [people] realize what they got, how much money the cartels would pay for access to this.”
The agency did not respond to Gizmodo’s request for further comment. The DEA told Krebs that they were investigating the reported hack, saying the agency “takes cyber security and information of intrusions seriously.”
The data was leaked to Krebs through a suspected administrator of Doxbin, which serves as a hub for people posting private information online. Doxbin has major connections to the LAPSUS$ teenage hacking group that are responsible for breaches of some of the world’s biggest tech companies. Even after purported leaders of the group were arrested earlier this year, hackers were still shown stealing user and company data.
LAPSUS$ hackers have previously uploaded their stolen data to semi-secure Telegram chats, but as of midday Thursday the group had not seemed to post any data related to the supposed hack on its main channel. Group hackers have already been known to impersonate law enforcement emails to get user data from big tech companies.
Krebs estimated EPIC wasn’t the only government database that requires only a single username and password access, considering there are 3,330 results that show up on a DOJ inventory.
He further critiqued the government’s apparent laxity in security, saying that if informal teenage hacking groups can break in, then state-sponsored groups could also have easy access.
“It is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information,” Krebs wrote.