9000+ Department of Homeland Security staff have their details leaked by hacker

Any time you interact with an organisation that has “security” in their name, it’s understandable that you would expect them to be good at security. Right?

You would hope them to be shining examples for everyone else about how to do things right, how to batten down the hatches and protect sensitive information from falling into the hands of the bad guys.

But, as the US Department of Homeland Security (DHS) has just found out – things aren’t always that simple.

As CSO Online reports, this weekend a hacker dumped a staff directory including the names, job titles, email addresses and phone numbers of over 9,000 DHS workers on the net.

And then, to make sure that everyone knew about it, the hacker tweeted a link to the information along with the encryption password (perhaps unsurprisingly the password chosen by the hacker was “lol”).


As Motherboard explains the anonymous hacker claims to have downloaded hundreds of gigabytes of data from Department of Justice servers, and is threatening to release the contact details of a further 20,000+ FBI employees.

According to that media report, the hacker first compromised the email account of a Department of Justice employee, but was unable to access an online portal without an access token.

A simple social engineering trick came to the hacker’s rescue:

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine – just use our one.”

It makes you want to weep, doesn’t it? What is the purpose of providing your staff with authentication tokens if they see no problem in sharing token codes with each other?

According to the hacker, he was then able to login and using the credentials from the already compromised email account, access other computers including his victim’s work machine.

“I clicked on it and I had full access to the computer,” the hacker said. Here the hacker could access the user’s documents, as well as other documents on the local network.

The databases of supposed government workers were on a DoJ intranet, the hacker claimed.

Journalist Joseph Cox at Motherboard verified that the leaked data appeared to be legitimate by ringing a number of the staff listed in the dumped staff directory.

Clearly it shouldn’t have been as easy as it appears to have been to access the Department of Justice’s computer systems and retrieve the contact details of thousands of DHS workers.

It’s easy to imagine how armed with the email addresses, job titles and phone numbers of DHS staff that malicious cyber-criminals and state-sponsored hackers could launch attacks targeting workers.

Much more needs to be done to instill proper security practices and prevent such incidents from occurring again.

Of course, we shouldn’t also forget that there is more than one way to skin a rabbit. In this instance, hackers showed just how easy it was to scoop up the names, job titles and contact details of DHS workers by hacking into government systems.

But it’s also the case that government staff might be putting themselves at further risk through the information they willingly share online.

For instance, just take a look at LinkedIn – where many business people are happy to share details of their job roles and how they can be contacted.

When I looked up “Department of Homeland Security” on LinkedIn, I received more than 21,000 results.


Even if a hacker can’t access your staff directory by breaking into your organisation’s network, never forget that they might be able to find out your employee’s information via other routes.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • Actually, if I’m to be completely honest I would expect that those with security in their name are least capable of keeping things secure. Perhaps that’s because they’re inviting attention from the world due in part because of their boasting. Or perhaps it’s because I have not seen many good examples here (of success). Or perhaps it’s because we all make mistakes. I’m not sure in the case of governments though that the last one is applicable. In fact I’m certain it isn’t: governments simply aren’t competent to begin with.

    I find it unfortunate the attacker released information of people whose only crime were to work for the US government (though I admit that might be a crime indeed in many cases but for some it might be all they can do … or are simply unaware of the dirty deeds) but I find it equally as unfortunate that they (the government) were to break so many basic rules in this case (and worse still is all the cases that aren’t reported!). So I’d say both parties are at fault here (and maybe the person/people foolish enough to give out the tokens should be held legally accountable [maybe compensate those affected by the leak?] but if nothing else they should be required to undergo training – including in common sense and logical thinking).