Apparently, all it took to entry 16 inside databases utilized by federal companies was a username and password.

Internet safety blogger Brian Krebs reported Thursday that hackers had accessed greater than a dozen U.S. legislation enforcement company portals below the Department of Justice, together with these utilized by the Drug Enforcement Agency and FBI. Krebs was tipped off that hackers have been reportedly capable of infiltrate the community by way of a DEA system containing info and analytics helpful for ongoing investigations.

The hacker apparently gained entry to the databases May 8 by way of the DEA’s EPIC System portal, which is distinct from the esp.usdoj.gov portal that requires rather more strict authorities authentication. Krebs wrote that the EPIC system apparently solely requires a username and password with out even a request for two-step authentication.

The tipster shared with Krebs a number of screenshots of possession data for issues like weapons, autos, and drones. That knowledge could possibly be very helpful to nationwide or worldwide felony teams, based on UC Berkeley laptop science researcher Nicholas Weaver, who informed Krebs “I don’t think these [people] realize what they got, how much money the cartels would pay for access to this.”

The company didn’t reply to Gizmodo’s request for additional remark. The DEA informed Krebs that they have been investigating the reported hack, saying the company “takes cyber security and information of intrusions seriously.”

G/O Media might get a fee

Save $70

Apple AirPods Max

Experience Next-Level Sound
Spatial audio with dynamic head monitoring offers theater-like sound that surrounds you

The knowledge was leaked to Krebs by way of a suspected administrator of Doxbin, which serves as a hub for folks posting non-public info on-line. Doxbin has main connections to the LAPSUS$ teenage hacking group which might be liable for breaches of a number of the world’s greatest tech corporations. Even after purported leaders of the group have been arrested earlier this yr, hackers have been nonetheless proven stealing consumer and firm knowledge.

LAPSUS$ hackers have beforehand uploaded their stolen knowledge to semi-secure Telegram chats, however as of noon Thursday the group had not appeared to submit any knowledge associated to the supposed hack on its major channel. Group hackers have already been identified to impersonate legislation enforcement emails to get consumer knowledge from massive tech corporations.

Krebs estimated EPIC wasn’t the one authorities database that requires solely a single username and password entry, contemplating there are 3,330 outcomes that present up on a DOJ inventory.

He additional critiqued the federal government’s obvious laxity in safety, saying that if casual teenage hacking teams can break in, then state-sponsored teams may even have quick access.

“It is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information,” Krebs wrote.