Tag: hackers

‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been leaving the digital keys to its own cloud storage accounts sitting out in the open, in plain text form, for some unknown amount of time, according to a report from Krebs on Security. The problem finally got fixed over the weekend, the report says.

Surely the secret information was buried in some obscure folder with an inscrutable name, I hear you saying. The repository was reportedly named “Private-CISA.”

But there’s no way the contents were that sensitive, you object. But the contents included passwords, keys, and tokens—and the passwords were plain text in a .CSV file.

CISA gave a statement to Krebs, saying the following:

“Currently, there is no indication that any sensitive data was compromised as a result of this incident[…] While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

Since the repository was created in November of last year, the duration of the vulnerability seems to have been about six months—but it could have been much shorter depending on what information as added when.

To refresh your memory, CISA is a relatively new branch of the Department of Homeland Security that has had an overall rough time during Trump 2.0, even though, by signing it into law in 2018, Trump actually midwifed CISA into existence during Administration 1.0, and sorry about the tangent, but Trump’s speech to mark the occasion was an exceptional example of Trump poetry, including excerpts like this one:

“The cyber battlespace evolves — and it is evolving, and unfortunately, faster than a lot of people want to talk about. But battlespace it is. So as the cyber battlespace evolves, this new agency will ensure that we confront the full range of threats from nation-states, cyber criminals, and other malicious actors, of which there are many.” 

Incontestably true, Mister President. Battlespace it is.

Keep reading

Hackers possibly linked to Iran breached tank readers at US gas stations: CNN report

Hackers suspected to have ties to Iran may have infiltrated computerized fuel monitoring systems at gas stations across the United States, according to CNN on Friday.

The report said the suspected cyber intrusions targeted automatic tank gauge systems, or ATGs, which are used to track fuel levels and detect leaks in underground storage tanks at gas stations.

The CNN report suggested that federal investigators think the activity was carried out by hackers linked to Iran but officials have not publicly connected the operation to a specific branch of the Iranian government.

U.S. officials told CNN that some of the systems had been connected to the internet without password protection, potentially allowing hackers to access and manipulate digital readings and display settings. 

Investigators warned that falsified readings could hide leaks or create other safety problems.

Keep reading

Ex-Con Hacker Twins Fired – Proceed To Wipe Out 96 Government Databases In Minutes

Note to employers: When you discover your twin brother employees are ex-cons who did time for hacking into the US State Department, and go to fire them, make sure you fully disable their access. 

February 2025, twin brothers Muneeb and Sohaib Akhter turned a routine job termination into one of the most brazen insider sabotage incidents in recent U.S. government history. Just minutes after being fired from Opexus – a Washington, D.C.-area contractor that provides critical case-management software to more than 45 federal agencies – the brothers allegedly launched a rapid digital assault that deleted approximately 96 government databases containing sensitive FOIA records, investigative files, and taxpayer data.

What made the case especially shocking was the brothers’ prior history: both had served prison time for hacking federal systems a decade earlier. 

A Decade-Old Criminal Record

The Akhter brothers, both 34 and from Alexandria, Virginia, had a criminal past that Opexus completely missed – which, given what they do, is not great. In 2015, while working as contractors, they pleaded guilty to conspiracy to commit wire fraud, conspiracy to access protected computers without authorization, and related charges. Their crimes involved hacking into U.S. State Department systems and a private company, stealing personal data on coworkers, acquaintances, and even a federal investigator.

Muneeb received a 39-month prison sentence; Sohaib received 24 months. Both served their time and were released.

And yet… 

By 2023-2024, the brothers had landed engineering roles at Opexus (formerly known as AINS), a firm specializing in FedRAMP-certified case-management platforms. Its flagship products – FOIAXpress and the eCASE suite – help agencies process Freedom of Information Act requests, audits, investigations, EEO complaints, and congressional correspondence. Opexus systems host sensitive government data on servers in Ashburn, Virginia.

The company conducted standard background checks covering roughly seven years – which missed the 2015 convictions. Opexus later admitted that “additional diligence should have been applied” and that the individuals responsible for hiring the twins are no longer with the company.

Unbeknownst to Opexus at the time of termination, the brothers had been abusing their access for weeks. Muneeb had collected approximately 5,400 usernames and passwords from the company’s network and built custom scripts to test them against external sites (including Marriott and DocuSign). He successfully logged into accounts and, in some cases, used victims’ airline miles.

On February 1, 2025 – more than two weeks before their firing – Muneeb asked Sohaib for the plaintext password of an individual who had filed a complaint through the EEOC Public Portal. Sohaib ran a database query and provided it; Muneeb then used the credentials to access the complainant’s email without authorization. This incident later became central to Sohaib’s password-trafficking charge.

Keep reading

UK Biobank Failures Expose the Permanent Cost of Sharing Genetic and Medical Records

The genetic sequences, medical scans, and lifestyle records of half a million British volunteers spent days listed for sale on Alibaba before anyone at UK Biobank noticed.

Three academic institutions, since banned from the platform, had quietly walked the data out through a research system that was supposed to keep it under lock and key.

At least one of the three Alibaba listings appeared to contain the full dataset covering every one of the 500,000 participants who handed over their blood, their DNA, and decades of personal health information on the understanding it would be used for medical research.

The UK government confirmed the breach on Thursday. Technology minister Ian Murray told the House of Commons that Biobank had flagged the incident on Monday, and that the Chinese government and Alibaba had cooperated to pull the listings down before any purchases went through. Murray thanked Beijing directly for its “speed and seriousness” in taking down the data, a sentence that carries some weight given the three research institutions identified as the source are Chinese, though officials have declined to draw conclusions about intent.

Professor Rory Collins, Biobank’s chief executive and principal investigator, issued a statement saying the listings “were swiftly removed before any purchases were made.” He apologized to participants and confirmed that access to the research platform had been suspended while the organization installs file size limits designed to stop researchers from walking off with bulk datasets.

An automated checking system to vet outgoing files is not expected to be ready until late 2026.

The sales listing is not the scandal. The scandal is what the sales listing reveals about how often Biobank’s data has already been exposed and where it now sits.

Prof Luc Rocher of the Oxford Internet Institute has been tracking the problem and maintains a public record of known incidents. By his count, the Alibaba posting is “the 198th known exposure of UK Biobank data since last summer.” Rocher added that the data “is not just available for sale, it also remains available online for anyone to download today.” Researchers have repeatedly uploaded the dataset to code-sharing platforms by accident, and copies have since been replicated across the web. Taking down one Alibaba listing does nothing about the other 197.

Biobank’s response to this pattern has been to emphasize that the data is “de-identified” and that no participant has been knowingly re-identified. The reassurance rests on a technical claim that does not survive contact with the evidence.

Keep reading

France’s ID Portal Hacked: 19 Million Records Up for Sale

French authorities have added another case study to the growing argument against centralizing citizen identity data.

France Titres, formerly known as ANTS, operates the portal where residents apply for passports, national ID cards, residence permits, driver’s licenses, and vehicle registrations.

On April 15, something broke inside that system. A week later, the Interior Ministry confirmed what anyone watching digital ID schemes has been saying about this exact architecture for years, and the scale on offer from the attacker makes the warning harder to wave away.

A threat actor using the aliases “breach3d” and “ExtaseHunters” appeared on criminal forums on April 16, claiming to have stolen between 18 and 19 million records from the agency’s internal systems.

If accurate, that is roughly a third of France’s population sitting in a for-sale listing. The seller describes the haul as a fresh, structural compromise rather than a recycled dump, and is actively shopping it.

Early French press reports, including Le Figaro, initially pegged the figure at around 12 million accounts before later estimates climbed. The government has not confirmed any number.

What the ministry has confirmed is a “security incident that may involve the disclosure of data from both individual and professional accounts.”

Login credentials, full names, email addresses, dates of birth, unique account identifiers, postal addresses, places of birth, and phone numbers may all have been extracted. That combination is a starter kit for identity fraud, synthetic identity construction, and convincing phishing attacks against people who already expect email from French government domains.

Keep reading

Brussels’ New Age Verification App: Hacked in Two Minutes

The European Union’s age verification app arrived on Wednesday with a promise that it was “technically ready” for deployment across the bloc. Within hours, security researchers had torn it apart.

Commission President Ursula von der Leyen presented the tool in Brussels as the answer to a continent-wide push to keep minors off social media and adult websites. “It is fully open source. Everyone can check the code,” von der Leyen said. Researchers took her at her word. What they found has turned the launch into exactly the kind of security embarrassment that should make anyone think twice about digital identity systems.

Security consultant Paul Moore published a widely shared post on X documenting what he discovered after examining the GitHub repository. The app stores sensitive data on users’ phones and leaves it unprotected. Moore claimed he hacked it in under two minutes.

Brussels is standing by its product. “Yes, it is ready. Maybe we can add, ‘and it can always be improved’,” Chief Spokesperson Paula Pinho told reporters Friday. Digital spokesperson Thomas Regnier added a revealing clarification. “Now, when we say it’s a final version, it’s … still a demo version.” He said the final product is not yet available for citizens and “the code will be constantly updated and improved … I cannot today exclude or prejudge if further updates will be required or not.”

Moore led the technical takedown on X, describing the app’s architecture as broken at the foundation. The encrypted PIN the app stores locally, according to Moore, has no cryptographic link to the identity vault holding the actual verification data.

That gap enables a bypass that requires no exploit code or specialized tools. Delete a few specific values from the app’s configuration files, restart the app, set a new PIN, and the software happily hands over access to credentials that belong to the previous profile. Identity data gets reused under whatever access control the attacker defines.

The weaknesses deepen from there. Rate limiting, the standard defense against someone trying PIN after PIN until one works, lives in the same editable configuration file as a plain counter. Set it to zero and the app forgets every failed attempt.

Keep reading

Data Breach Exposing French Gun Owners a Warning to America

Anytime there’s a list of anything, there are going to be people who want to view that list for whatever reason. As we are firmly in the 21st century, that list is going to be digital more often than not, and that means the number of people who want to get that data increases exponentially. Especially when it’s something like a gun registry.

Luckily, federal law bars the federal government from creating a gun registry, though let’s be real here. If they change their minds, they’ll repeal the law in a heartbeat. It won’t stop them. Hell, it’s not even stopping the ATF from digitizing old records, which is really just a gun registry with a different name.

France, however, didn’t think gun registries were a bad thing.

Now, though, they’re finding out that data breaches into that registry are.

In a development that will shock absolutely nobody acquainted with the realities of gun control, there was another security breach of firearm owner data maintained by a government agency. This one took place in France, and an online cybersecurity resource, NeuraCyb Cybersecurityreported it involved that country’s firearm registration system. Known as the Système d’Information sur les Armes (SIA), all law-abiding French gun owners are required to register information with it that includes, among other things, the gun owner’s name, address, firearms (including serial numbers), and a complete transaction history of each gun.

Because the SIA can be accessed in a number of ways—the firearms industry can access it to report commercial activity while gun owners can also access it to report any changes to their personal collection of firearms—it may be susceptible to being hacked from multiple points.

According to the NeuraCyb article:

Authorities detected the unauthorized access in late March 2026. The intrusion did not involve a direct hack of the central SIA database. Instead attackers used a compromised account belonging to a legitimate company or professional user authorized to interact with the system. This allowed them to extract commercial files stored within that specific account.

An anonymous hacker who took credit for the breach claimed to have stolen information on roughly 60,000 firearms and has allegedly offered to sell the data on underground online forums.  It is currently unknown how many law-abiding French gun owners might now have their personal information floating around the Internet and offered for sale to the highest (and shadiest) bidder, but some estimate it would be in the tens of thousands.

The absolute best-case scenario here is that the hacker just took the data because he needed proof he’d actually hacked it. In the hacker world, there are bragging rights to hacking certain systems, and having data from it proves you did it. They don’t want to do anything with the data so much as just support their claims and win acclaim in the hacking universe. He’s just saying he was going to sell it to make himself look cooler.

Keep reading

Dad stuck in support nightmare after teen lied about age on Discord

Brady Frey did not realize that his daughter lied about her age when she set up her Discord account. He only found out after her account got hacked and he got trapped in a spiraling support nightmare while trying to stop the hacker from targeting dozens of her young friends with financial extortion scams.

When Frey’s daughter signed up for Discord, she was 12 and technically not old enough to have an account. But like many kids who, regulators have found, commonly lie about their age to access social media platforms, she didn’t want to wait another year to join her friends on the messaging app. Hiding her age, she created an account that listed her as over 18 years old.

Now 13, the teen had been happily using the app for months when she suddenly got locked out of her account after clicking on a link from an attacker posing as Discord support. Since she didn’t enable two-factor authentication, the attacker was able to commandeer the account. Frey only found out what was happening when the attacker asked the teen to share her parents’ banking information if she wanted to get her account back.

Once Frey realized his daughter had been hacked, he assumed that Discord would promptly intervene, recognizing that many minor victims on her friends list could be harmed the longer the attacker kept control. Instead, Discord’s chatbot, Clyde, and a seeming human support member, Nelly, automatically closed her support tickets after telling her it would be best to report the issue from inside the app, which she could not access.

Frey told Ars he was shocked to see a platform as big as Discord relying on such poor support infrastructure.

“There’s no pathway for a parent to step in and advocate for a minor whose account has been compromised,” Frey told Ars.

Keep reading

FBI Warns Congress of ‘Major’ Cyber Hack Involving China That Could Threaten National Security

Not even the FBI is safe from Chinese hacking operations.

A computer security breach in the bureau’s Virgin Islands offices, first detected in February, has been reported to Congress as a “major incident” that could threaten national security, Politico reported Wednesday.

And it appears that the Beijing regime is behind it.

As Fox News reported Thursday, it was unclear what information was accessed in the hack.

However, the FBI reported the breach in compliance with the Federal Information Security Modernization Act of 2014, a law that requires specific committees in both Houses of Congress to be notified if a federal agency’s computer system is compromised to the point where national security is at risk.

“The determination suggests the hackers successfully compromised swathes of sensitive data stored directly on FBI systems, likely marking a major counterintelligence coup for China,” Politico reported.

Keep reading

White House renamed ‘Epstein Island’ on Google phones – WaPo

The White House was briefly renamed ‘Epstein Island’ for some Google Pixel phone users, the Washington Post has reported.

The term is used to refer to the Caribbean island of Little St. James, which had been owned by the late convicted pedophile Jeffry Epstein. According to the prosecutors, it served as the venue for sex trafficking and other abuses involving some high-profile figures in business and politics.

WaPo said in an article on Saturday that when its journalist tried calling the White House switchboard earlier this week, the name on screen indicated that they were contacting “Epstein Island.”

Only users of Google’s Pixel phones experienced the issue. For those calling the presidential residence from other Android phones and iPhones, no name was displayed, the report read.

Keep reading