An FBI Email Network Was Hacked to Send Thousands of Fake Emails

One FBI online portal left its own account verification code publicly accessible in the website's HTML code. That's bad.

Looks like the Federal Bureau of Investigation’s latest case is pretty close to home: The organization’s own email network was compromised a few days ago. The hackers sent thousands of emails to system administrators, all cryptographically signed by the FBI and DHS.

And, in a meta twist, the false emails were themselves warning about a (non-existent) cybersecurity threat. That’s right, just when we all thought we were completely jaded about how all-encompassing cyberthreats appeared to be, now we can’t even trust FBI emails about a crime to not also be crimes themselves!

Here’s how it happened, and what we can learn from the whole debacle.

How the FBI Got Hacked

The short version of what appears to have happened here is that a hacker abused an insecure code that was left accessible in an FBI online portal.

The portal, called the Law Enforcement Enterprise Portal or LEEP, lets users create a new account complete with an email confirmation sent from eims@ic.fbi.gov with a one-time passcode used to verify that the new account’s email address is valid. That’s all typical stuff. But apparently, that one-time password was also leaked by the portal, and could be found in the web page’s own HTML code. So, the hacker was able to verify themself, and also used a simple script to send the thousands of fake emails.

“Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request,” The hacker, who goes by the name Pompompurin, said in an interview. “This post request includes the parameters for the email subject and body content.”

Here’s one example screenshot of a fake email:

https://twitter.com/GossiTheDog/status/1459452054641025024

It has a few run-on sentences and misspells “through” at one point, but it’s not like those aren’t mistakes that an FBI agent couldn’t make. Given that the correct cryptographic signature confirms that this was indeed sent from a FBI server, any system admin would be forced to take a second look.

Hacktivism at Work?

The person who explained how the hoax worked, Pompompurin, is also claiming responsibility for it — and pretty convincingly, given that they did so with an email sent from an FBI email address.

In it, they say that they could have done a lot worse, but instead just wanted to make sure the vulnerability was patched up (while presumably gaining a little “hacked the FBI” clout in online circles in the process).

It’s another example of how one missed loophole can lead to outsized cybersecurity consequences. In this case, the FBI has plenty of egg on its face. But tomorrow, another small company could be dealing with a similar data leak, and that company won’t even have the power of the federal government behind them.

We always recommend password management tools, VPNs, and quality remote access software for businesses trying to stay safe with a remote workforce. But you may want to consider a few training sessions for how to mitigate an attack that has already proven successful — not every attacker out there will be nice enough to just send an email warning about a fake cybersecurity risk every time they find a real one.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' is out from Abrams Books in July 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Step up your business video conferencing with GoToMeeting, our top rated conferencing app – try it free for 14 days Try GoToMeeting Free