The email and passwords were posted on the same forum where a hacker claimed to have breached OPM.
Image: Michael Schreifels/Flickr
A hacker dumped a database containing what appear to be around 23,000 email addresses of US government workers on a dark web hacking forum on Thursday.
The database contains more than 9,000 government (.gov) email addresses, and almost 12,000 military (.mil) addresses, as well as their corresponding—though encrypted—passwords.
The dump comes just a few days after a hacker named Ebolabad claimed to be the one behind the massive hack of the US government human resources arm, the Office of Personnel Management (OPM), which may have compromised up to 4 million federal employees' information. Ebolabad pretended to sell the data trove to the highest bidder, but it was unclear if he ever had access to the real OPM data.
The database contains more than 9,000 government (.gov) email addresses, and almost 12,000 military (.mil) addresses.
Last week, Ebolabad claimed to have hacked 38 OPM databases containing records of 4.5 million workers. The hacker also shared some snippets of data with Motherboard, and experts said the data appeared to be legitimate, although there was no conclusive evidence that it actually came from the breach of OPM.
The new database containing 23,000 emails was posted by the administrator of the dark web hacking forum Hell, a hacker who goes by the name Ping, who told Motherboard that he got the data from Ebolabad.
It's unclear if this data really comes from OPM, but the vast majority of users in the database have government addresses, belonging to a wide range of agencies such as the FBI, the Department of Homeland Security, the Department of Justice, the Bureau of Prisons, the Air Force, and the Navy. (There are even 16 opm.gov email addresses)
We haven't been able to verify that all the data is authentic, but some of the email addresses and names appear to be real. Several people whose name appear in the dumped database do indeed work in the US government, and some emails appear on publicly available government websites. (We have reached out to a dozen of the people who appear on the database, but haven't heard back yet.)
Given that one of the fields of the database is "SAPCustomerNumber," it appears that it comes from German enterprise software giant SAP, which sells databases, among other services.
It's possible that OPM is an SAP customer, which would support the idea that this data is authentic. An OPM human resources best practices document posted online seems to suggest it is an SAP customer—though this doesn't prove that this data was indeed stolen from OPM.
Motherboard has reached out to multiple SAP spokespeople, but none have responded by the time of publication. An OPM spokesperson also did not respond to our requests for comment.
The hacker might be simply trying to make some money pretending to have a huge collection of government employee's data.
Experts who reviewed the data posted days ago by Ebolabad concluded that it appeared to be real names and email addresses, although it could've been data recycled from another data breach, not necessarily stolen from OPM. The hacker might be simply trying to make some money pretending to have a huge collection of government employee's data, the experts said.
"This is definitely breached data, but from what?" Adrian Sanabria, a security analyst at at 451 Research, previously told Motherboard. "The big question here is: is this new breach data, or are they taking old stuff and trying to 'resell' it?"The hack on OPM has been called one of the biggest, if not the biggest, data breach in the US government history. It's still unclear exactly what data was stolen, but OPM deals with highly sensitive data on millions of current and former government workers, such as information on security clearances and background checks. Experts have called this type of data a "goldmine" for foreign spies and "everything anyone would ever need for blackmail."
Anonymous government officials have told several news outlets that China is suspected to be behind the hack, although former CIA deputy Mike Morell reportedly said last week that he believed the hackers behind the breach were "more likely" to be "a criminal group."
Perhaps this new dump of government credentials does not come from OPM—but that would hardly be good news, as it might mean the US government has another breach to worry about.