The U.S. Federal Bureau of Investigation has allegedly been hacked by a group or person with links to the Anonymous cyber collective.

CyberZeist claims to have gained access to the Plone content management system used on the FBI.gov site by using a zero-day exploit that is available on the dark web. On gaining access, the hackers obtained logins and a database dump that included personal data on 155 FBI agents. The information included their names, passwords and email accounts, a number of which have subsequently been published on Twitter as proof of the hack.

As the site was hosted on VM, CyberZeist claimed they were unable to obtain root access to the server FBI.gov is hosted on. But it was able to obtain some information from the server, including that it was running FreeBSD version 6.2_RELEASE with custom configurations, and that it was recently updated.

“While exploiting FBI.GOV, it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files (.bck extension) on that same folder where the site root was placed (Thank you Webmaster!), but still I didn’t leak out the whole contents of the backup files, instead I tweeted out my findings and thought to wait for FBI’s response,” CyberZeist said.

CyberZeist rather charitably warned that other agencies using the Plone CMS are vulnerable to a similar attack, including the EU Agency for Network & Information Security, Intellectual Property Rights Coordination Center, and Amnesty International.

The makers of Plone have denied that their CMS was hacked, saying that they believe the claims by CyberZeist simply aren’t true.

“Some users on Twitter are circulating rumors about a zero-day vulnerability in Plone being used to attack the FBI. The Plone Security Team believes that these claims are a hoax,” the company said in a statement reported by The Register. “As Plone is open source software, it is easy to fake a screenshot showing Plone’s code. Causing source code to be leaked to the end user is a common form of attack against PHP applications, but as Python applications don’t use the cgi-bin model of execution it has never been a marker of an attack against a Python site.

“The hashes [the ‘hacker’] claims to have released have several warning signs that point to them being fake,” the company continued. “Firstly, the email addresses used match other FBI emails that have been harvested over the years that are publicly available. The password hashes and salts he claims to have found are not consistent with values generated by Plone, indicating they were bulk generated elsewhere.”

While the FBI has neither confirmed nor denied this hack, this isn’t the first time it has happened. CyberZeist breached FBI servers in a phishing attack in 2012.

Image credit: Wikimedia Commons/Public Domain CC0