Hacker Breached EAC Website, Sought to Sell Passwords


[Image via wonderhowto]

The U.S. Election Assistance Commission (EAC) is responding to reports that its website was hacked and login credentials stolen and offered for sale online. PCWorld has more:

A Russian-speaking hacker has been found selling stolen login credentials for a U.S. agency that tests and certifies voting equipment, according to a security firm.

The hacker was attempting to sell more than 100 allegedly compromised login credentials belonging to the U.S. Election Assistance Commission (EAC), the security firm Record Future said in a Thursday blog post. The company said it discovered online chatter about the breach on Dec. 1.

Some of these credentials included the highest administrative privileges. With such access, an intruder could steal sensitive information from the commission, which the hacker claimed to have done, Recorded Future said.

According to screenshots obtained by Recorded Future, the hacker had access to details about tests of election systems and software.

The EAC shut down the affected application and issued the following statement:

The U.S. Election Assistance Commission (EAC) has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects.

The EAC does not administer elections. State and local jurisdictions run elections.

The EAC’s mission is to provide a clearinghouse of election administration best practices, administer a voluntary voting machine certification system, and survey election administration practices.

The EAC does not collect or store any personal information of voters. The EAC does not maintain voter databases. The EAC does not tabulate or store vote totals.

Upon detecting the intrusion, the EAC terminated access to the application and began working with federal law enforcement agencies to determine the source of this criminal activity. The FBI is currently conducting an ongoing criminal investigation. As such, questions concerning the investigation should be directed to the FBI.

Recorded Future, which initially identified the hack, says the hacker seems to be acting alone – though there is the possibility that other hackers could have exploited the vulnerability:

Recorded Future also said the hacker it identified doesn’t appear to be sponsored by any foreign government. The security firm’s blog post [link here – ed.] didn’t cite any evidence that the hack had resulted in vote-tampering in the election.

To pull off the breach, the hacker exploited an unpatched SQL injection vulnerability, a common attack point found in websites. The hacker may also have tried to sell details about this vulnerability to a broker working on behalf of a Middle Eastern government, Recorded Future said.

“It’s not uncommon for this type of vulnerability to lead to broader system level access, however, in this case the full extent of the EAC compromise remains unknown,” Recorded Future said.

The stolen login credentials could have also allowed a hacker to modify or plant malware on the commission’s web-facing application, the company said.

It’s unclear how long the vulnerability remained unpatched, so it’s possible other bad actors may have exploited it, Recorded Future said.

As the EAC and numerous media outlets have observed, the hack is not as serious as it could have been because the agency doesn’t actually administer elections, as is the case with central election authorities in other countries. Still, it’s a vivid reminder of the importance to election officials of keeping cybersecurity top of mind, given that any information could end up being of value to a hacker. It’s also eye-opening to realize that the hack went undetected until a non-governmental actor like Recorded Future picked up the trail.

The lesson here seems to be stay vigilant and make sure your software is up to date. I’m going to go do the latter now; you should all do the same – and stay tuned …

10 Comments on "Hacker Breached EAC Website, Sought to Sell Passwords"

  1. no country is able to stop hacking government should take some serious action to stop hacking to save the personal data of people

  2. hacking is very serious issue for every country these days government should take some steps to stop it

  3. Thanks for sharing this article.It shouldn’t be
    oon this page only. Can I share it on my Facebook and Twitter?

  4. I have done that for the last two books I was the marketing director for.
    The best SEO service provider is one that might not harm the site as a result of incoherent strategems.
    You cannot call Google up and provides them a everlasting sales pitch about
    your website and look engine spiders usually do not reply to

  5. Any message you have for the prospective customer, really should have inside a title or even an openng that needs to be of curiosity for
    a prospects. Yoou can’t set your online marketing
    strategy lacking the knowledge of if your keyword phrases or keywords are well-liked by searchers
    with your field. But of course you must realise what must be done, and it can be described
    as a great deal of work as well.

  6. While talking about captivating the most clients, other
    concerns include the ones from landing pages.
    On the opposite hand, in case a marketer is not too careful in investing just
    for this strategy, then he is most probably to fail.

    You cannot call Google up and provdes them a sales pitch about your website and look engine spiders
    do not answer email.

  7. I ɑam curious to fimd out what blog system yoᥙ haplen tto be սsing?
    I’m having some small security probⅼems witһ mʏ latest website and І wouⅼd
    like to find something more secure. Do you have ɑny solutions?

  8. thank you so much giving me this knowledge also I bookmark this link it very useful

  9. thank you so much giving me this knowledge also I bookmark this link it very useful
    you boom it

  10. Nice information I got here without wasting my time and it looks really great. Thanks for your post.

Leave a comment

Your email address will not be published.