Hackers reportedly compromised at least three websites related to the FBI National Academy Association. TechCrunch said yesterday that the hackers were able to collect names, email addresses, mailing addresses, phone numbers, and job titles of at least 4,000 law enforcement officials, some of which they posted publicly.
But that could just be the beginning: the hackers reportedly told TechCrunch that they had compromised 1,000 websites and gathered "over a million data" about people who work for various agencies and government organizations. They also shared evidence that they accessed a subdomain related to Foxconn where they could view "thousands of employee records, including email addresses and phone numbers," at will.
The hackers have posted some information to the web, such as the names and postal addresses of some federal agents, and are expected to sell more information on the dark web. That is the common procedure for hacks like this: a group of hackers will usually cast a wide net in search of vulnerable websites, break into the ones they find, gather as much information as they can, and sell that data to the highest bidder. (Or, if they're willing to leave it up for sale, to anyone who can pay their asking price.) They basically turn secrets into money.
As websites have started to gather more information about their users, the opportunity for hackers to gain access to untold amounts of information has risen. That's how massive data dumps like Collection #1, which contained personal information related to some 773 million accounts, happen. It's an obvious point to make, but it's worth repeating that this data is only there to be stolen because some company gathered it in the first place.
Many companies often fail to protect the information they collect, too, despite amassing more of it than ever. Just look at the companies that kept databases containing records related to as many as 540 million people in unprotected Amazon S3 cloud storage buckets. Even large companies fail to take all of the necessary precautions, as Facebook demonstrated when it revealed that employees could access some 600 million passwords.
The FBI National Academy Association doesn't appear to have acknowledged TechCrunch's report on its website or social media accounts. Until the hackers put the data they stole up for sale, it will be hard to determine the extent of the attack, or how many people were actually affected. But we suspect the thousands of people who use the three websites confirmed to have been compromised will find little comfort in that ambiguity.