PoliceOne confirms hack; thousands of forum accounts for sale on the dark web

A data broker is selling hundreds of thousands of accounts used by police and federal agents from a hacked law enforcement forum.

The database is said to have been stolen in 2015, and contains 715,000 records on members who have registered with PoliceOne.com, a news site and community for police officers and law enforcement professionals.

Alex Ford, chief executive of Praetorian Digital, owner of PoliceOne.com, confirmed the breach in a phone call Tuesday.

Ford said that the company it will be notifying affected users and require them to change passwords.

According to a posting on a dark web marketplace, the stolen data includes usernames, passwords stored in MD5 (an algorithm that nowadays is easy to crack), email addresses, dates of birth, and other forum data, such as if a member is a verified law enforcement officer.

Many of the forums are private and can only be accessed by members, or in some cases verified law enforcement officials who have submitted their badge numbers or other identifying information, but this does not appear to be part of the leaked database.

The data is being sold for $400, according to the listing, which we are not linking to.

The seller of the data, who went by the name Berkut, reached out to me over encrypted chat and provided a sample of data for verification.

We reached out to a couple of dozen members by email who were listed in the breach, but we didn't immediately hear back. (We will update the story if that changes.)

Many of the accounts in the database included email addresses associated with the FBI and Homeland Security.

Berkut said the SQL database was dumped by using a known exploit for the forum software.

At the time of writing, the forums are powered by vBulletin software dating back to 2014, which is known to contain several easily exploitable vulnerabilities known by hackers.

The forums were pulled offline late on Friday after we informed the site of the breach.

Updated on February 7: with statement from chief executive.

These were the biggest hacks, leaks and data breaches of 2016

ZDNET INVESTIGATIONS

Researchers say a breathalyzer has flaws, casting doubt on countless convictions

Lawsuits threaten infosec research — just when we need it most

NSA's Ragtime program targets Americans, leaked files show

Leaked TSA documents reveal New York airport's wave of security lapses

US government pushed tech firms to hand over source code

Millions of Verizon customer records exposed in security lapse

Meet the shadowy tech brokers that deliver your data to the NSA

Inside the global terror watchlist that secretly shadows millions

198 million Americans hit by 'largest ever' voter records leak

Britain has passed the 'most extreme surveillance law ever passed in a democracy'

Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it

Leaked document reveals UK plans for wider internet surveillance

• Researchers say a breathalyzer has flaws, casting doubt on countless convictions
• Lawsuits threaten infosec research — just when we need it most
• NSA's Ragtime program targets Americans, leaked files show
• Leaked TSA documents reveal New York airport's wave of security lapses
• US government pushed tech firms to hand over source code
• Millions of Verizon customer records exposed in security lapse
• Meet the shadowy tech brokers that deliver your data to the NSA
• Inside the global terror watchlist that secretly shadows millions
• 198 million Americans hit by 'largest ever' voter records leak
• Britain has passed the 'most extreme surveillance law ever passed in a democracy'
• Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it
• Leaked document reveals UK plans for wider internet surveillance