A hacker known on Twitter as CyberZeist has hacked the FBI website, again, using a zero-day vulnerability exploit of the bureau’s Plone Content Management System.
The Dec. 22 hack resulted in the leak on Pastebin, the open source website hackers use to publish stolen information, of personal data of more than 150 FBI employees, including names, email accounts and passwords.
The exploit was offered for purchase on Tor by a hacker named “lo4fer.”
“I obviously cannot publish the 0day attack vector myself as it is being actively sold over tor network for bitcoins,” CyberZeist says in the leak. “Once this 0day is no longer being sold, I will tweet out the Plone CMS 0day attack vector myself.”
The hacker said his actions were “totally devoted to the Anonymous Movement.” CyberZeist claims to have informed the FBI about the vulnerability before the leak so it could be patched. The code exploit was not difficult as the webmaster “had kept the backup files (.bck extension) on the same folder where the site root was placed,” according to the hacker.
Viewed one of the most secure platforms, the FBI is not the only agency using Plone CMS. Google, the CIA, the European Union Agency for Network and Information Security, Intellectual Property Rights Coordination Center, and Amnesty International also use it. All organizations using this CMS are vulnerable to similar attacks.
The FBI has not released a statement yet.