As protests continue to proliferate across the globe in the wake of George Floyd’s death, the Minnesota Police Department is making news for something else: A supposed hack, perpetrated at the hands of the Anonymous hacktivist group.
According to Troy Hunt at Have I Been Pwned (HIBP), the group of allegedly ill-gotten email addresses and passwords has been circulating in multiple forums, with most of them attributing the credential leak to Anonymous, which is a loose affiliation of individuals that carry out hacking to send political messages. According to multiple social-media posts, Anonymous supposedly carried out the breach/leak in response to the MPD’s role in Floyd’s death:
ANONYMOUS IS BACK AND HAVE ALREADY H@CKED THE MINNEAPOLIS POLICE DEPARTMENT WEBSITEpic.twitter.com/W7AcHyh3gV
— nutella⁷ closed or ia idk | BLM (@pjnkmin) May 31, 2020
However, Hunt’s review of the situation comes to a different conclusion.
“Don’t spread disinformation and right now, all signs point to just that – the alleged Minneapolis Police Department ‘breach’ is fake,” he wrote, in an analysis posted on Monday, adding that the data is likely not from the MPD at all, but rather a collection of widely available credentials from earlier breaches, and possibly some made-up combinations, that have been assembled into a new database for the purpose of perpetrating this hoax.
He said that looking into the data set, there are 689 unique email addresses that are included; and as a warning flag, some of them are associated with multiple passwords.
“It’s extremely unusual to see the same email address with multiple different passwords in a legitimate data breach as most systems simply won’t let an address register more than once,” Hunt explained.
Another red flag is the fact that 654 of the addresses can already be found in Have I Been Pwned – meaning that 95 percent of the credentials have already been compromised.
This rate is “massively higher than any all-new legitimate breach,” Hunt pointed out. “If you have a browse through the HIBP Twitter account, you’ll see the percentage of previously breached accounts next to each tweet and it’s typically in the 60 percent to 80 percent range for services based in the U.S.”
Yet another aspect that points to a fake breach is just how many incidents the addresses appear in. The average in HIBP is two breaches per email address. In this case, the emails appear in an average of 5.5 breaches.
“In other words, these accounts are breached way more than usual. When we look at which incidents they’ve been breached in, they’re very heavily weighted towards data aggregators,” Hunt explained. “The conclusion I draw from this is that a huge amount of the data is coming from aggregated lists known to be in broad circulation.”
What we almost certainly have here is the result of someone selecting every https://t.co/PLqgtO3KjG email address from old breaches or credential stuffing lists and passing it off as something it isn’t. There’s no evidence whatsoever to suggest this is legitimate.
— Troy Hunt (@troyhunt) May 31, 2020
There’s also the issue of the passwords – many of the credentials are common or incredibly easy to crack. For instance, passwords like the all-lowercase “linkedin”; “le” (just two characters); PIN-like passwords like “1603”; and the notoriously insecure “password,” “qwerty” and “123456” are all represented.
“It’s difficult to imagine someone creating an MPD account with that password,” Hunt said, using “linkedin” as an example. “Then again, people do stupid things with passwords (yes, even police officers) so it’s possible. What’s less likely is that a current day official police department system would allow an all lowercase 8-character password.”
In all, 89 percent of the passwords have been seen before. The most common in the set is “123456,” which makes almost 24 million appearances in the HIBP database.
Bottom line: While many are outraged at the police in Minneapolis and this story feeds a retribution narrative, “the data has almost certainly been pulled out of existing data breaches in an attempt to falsely fabricate a new one,” Hunt concluded. “These may well be legitimate MPD email addresses and the passwords may well have been used along with those email addresses on other systems, but they almost certainly didn’t come from an MPD system and aren’t the result of the police department being ‘hacked.’”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.