Cyber Incident Victim: PoliceOne
Date:
Jan 2015
Location:
United States of America
Summary
A hacker compromised a law enforcement-focused online forum, stealing approximately 700,000 user accounts containing usernames, email addresses, hashed passwords using MD5 with salts, and potentially private communications. The attacker exploited a known vulnerability in outdated vBulletin forum software to access the database, which included sensitive email addresses linked to multiple U.S. government agencies. The stolen data was offered for sale on dark web markets, posing risks of unauthorized access to restricted discussions and operational details. The victim organization took its forums offline during investigation, acknowledged the breach's credibility despite pending full verification, and initiated user notifications alongside mandatory password resets. While no financial data was stored, the exposure of law enforcement professional accounts raised significant security concerns regarding potential misuse of sensitive tactical information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2017, a hacker using the alias "Berkut" advertised a database containing approximately 715,588 user accounts from the law enforcement forum PoliceOne for sale on the Tochka dark web market for $400. The stolen data, allegedly obtained in 2015, included usernames, email addresses, account creation dates, and passwords hashed with the MD5 algorithm supplemented by salts. Berkut claimed the database contained emails associated with personnel from the NSA, DHS, FBI, and other US government agencies, with one sample file purportedly listing over 3,000 Homeland Security employee accounts. The hacker stated they had accessed the forum through an exploit targeting vBulletin 4.2.3, a widely used forum software with documented security vulnerabilities. Motherboard verified the data's authenticity by testing 15 randomly selected email addresses from the sample, finding 14 were already registered on PoliceOne, including addresses tied to government agencies. During the investigation, PoliceOne's website became temporarily inaccessible.
PoliceOne confirmed they were investigating a potential breach affecting a portion of their members, though they had not fully verified the claims at the time of reporting. The company immediately took their forums offline to secure user accounts and conduct further analysis. A spokesperson emphasized that while the compromised data did not include payment information, they were treating the incident with high priority, notifying potentially affected users and mandating password resets. The breach raised concerns about criminals accessing private messages and specialized discussions restricted to verified law enforcement personnel, as PoliceOne required officers to validate their credentials through direct department verification for sensitive sections. The company reiterated its commitment to protecting sensitive law enforcement information but provided no additional technical details about the intrusion timeline or remediation steps beyond the initial response.