Hackers sent a barrage of fake emails over the weekend using an FBI email account, the agency acknowledged, to falsely warn recipients that an attacker stole their information.
The nonprofit spam-tracking service Spamhaus Project estimated that the hoax email campaign comprised as many as 100,000 messages. The FBI said that the hackers temporarily broke in via a software misconfiguration for its Law Enforcement Enterprise Portal that the bureau uses to communicate with state and local law enforcement agencies.
“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service,” the FBI said in a Sunday update. “No actor was able to access or compromise any data or PII on the FBI’s network.”
The email campaign sought to smear Vinny Troia, a cybersecurity author and CEO of Night Lion Security, as the party responsible for the alleged stolen data. Someone going by the name Pompompurin reportedly claimed credit for the false emails, saying their intent was to expose a vulnerability in the FBI’s system.
“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” Pompompurin told Krebs on Security. “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack,” a copy of a phony email tweeted by the Spamhaus Project reads, saying Troia was affiliated with The Dark Overlord hacking group.
The incident is only the latest to see major parties who investigate cyberattacks hacked themselves, and a reminder that common errors like software misconfigurations can undermine the security of virtually anyone.
“I think a lot of people will be watching the public response by the FBI to this in the coming weeks,” tweeted cybersecurity researcher Kevin Beaumont. “The FBI have the option to be as transparent as possible about a breach, which may aid companies in the future in their breaches.”