Hackers post alleged passwords of Hill staffers; FBI probing breach

A Twitter account that claims to be affiliated with the hacker group Anonymous said it posted the email addresses and alleged passwords of hundreds of current and former Hill staffers online late Wednesday.

{mosads}The Twitter handle @OpLastResort warned Congress in a tweet that it’s closely watching how lawmakers respond to the revelations over a pair of controversial National Security Agency surveillance programs. The tweet included a link to a website that listed the email addresses to hundreds of current and former Hill staffers and their alleged passwords for those accounts. 

“We mean it. This is a pivotal moment for America, and we will not tolerate failure,” OpLastResort tweeted, including the hashtags #Congress #Senate #FISA and #PRISM.

The hackers said they removed some of the staffers’ passwords from the list and shuffled the order of the remaining ones so the passwords aren’t linked to the email addresses they’re posted next to. 

But the hackers said they were “being far too generous” for taking this step and warned that they “reserve the right to spontaneously decide this restraint was unjustified.”

Senate Sergeant at Arms Terry Gainer said in a statement to The Hill that the passwords the hackers posted are not accurate. He confirmed that a hacker was able to gain “limited access to a vendor’s servers,” but said the Senate computers are safe and have not been hacked.

Gainer said his office is working with the U.S. Capitol Police and the FBI as they investigate the breach.

“This vendor provides some service to a limited number of Senate offices,” Gainer said. “The Senate IT team continues to work with the vendor to remedy any problems. We are working with the United States Capitol Police and the Federal Bureau of Investigation as they look into this matter.”

In a memo sent to all House staff late Thursday, the House Chief Administrative Office said the hackers had published expired login information, including email addresses and passwords, for iConstituent Gateway e-newsletter accounts outside of the House network. 

The House email system was not affected by the breach, but “out of abundance of caution,” staffers who have iConstituent e-newsletter accounts will have to change their login for the House network, the memo said.

“These passwords have expired and can no longer be used to access the external iConstituent service. However, to prevent access to other platforms (Facebook, Twitter, etc.), iConstituent Gateway eNewsletter users, old and new, should immediately change their usernames and passwords to other external sites and services if those user names and passwords have ever been used to access iConstituent Gateway eNewsletter accounts,” the memo reads.  

The email addresses of several communications directors and press aides for House and Senate members are included on the list. Some of the email addresses posted on the site belonged to staffers who no longer work in Congress, including staffers who used to work for former Sens. Chris Dodd (D-Conn.), Bill Frist (R-Tenn.) and Jim DeMint (R-S.C.).

An email that was sent to congressional offices, obtained by The Hill, said House Security believes the leaked staffer emails and passwords were poached from another online service rather than the House network’s email system.

A separate email sent to House offices said the breach was traced to the iConstituent newsletter product, which is typically used by press staffers and Hill aides to communicate with constituents. 

The email urged staffers to change their password for the iConstituent service but said their House email accounts were not affected by the breach. 

The email included a message from the iConstituent support team, which recommended that staffers reset their social media and email account passwords “as an additional precaution” if it’s the same as their password for the iConstituent newsletter product. 

“We learned today of a potential security risk which could affect users of the Constituent Gateway eNewsletter product,” the message, dated Tuesday, reads. 

“We are presently investigating the risk and its possible impact, but as a precautionary measure we have triggered a forced password change for all accounts in the eNewsletter Gateway.”

Zain Khan, CEO of iConstituent, did not confirm that its systems had suffered a breach, but said it takes security incidents “very seriously.”

“It is iConstituent’s policy to refrain from discussing security issues of our clients,” Khan said in an email. “iConstituent is aware of concerns of security and takes all such incidents very seriously.”

The Senate Sergeant at Arms sent an email Thursday afternoon to Senate staff directors, chiefs of staff and system administrators that warned about the hack.

“Early today, hackers disclosed over 300 Senate email addresses and passwords. We have confirmed that the posted credentials are not accurate, and many disclosed accounts are long expired,” the email reads. “Affected offices are being notified.”

The breach initially put Hill staffers on edge, but they said they felt reassured as more information was provided to them.

Still, some staffers raised concern about whether outside vendors are adequately securing their systems.

Ian Koski, communications director for Sen. Chris Coons (D-Del.), whose Senate email address was included on the hacker site, said he’s concerned that he hasn’t received a notice from iConstituent about changing his password. He called the breach “disturbing” but said federal employees expect to be the target of people’s anger from time to time.

The larger concern, Koski said, is whether the hackers were able to access the email addresses of constituents that are stored within the iConstituent newsletter’s database.

“I don’t see why people think that compromising the security of staffers’ e-newsletter accounts will result in more favorable policy outcomes, but OK. What we’re more concerned about now is the potential exposure of the constituent email addresses stored in the e-newsletter system’s database,” Koski said.

“At this point, it’s been 18 hours, and we haven’t heard a word from the vendor even recommending we change our passwords, let alone explaining the extent of the breach. Our constituents’ privacy is our real concern right now.”  

— This story was first posted at 2:51 p.m. and has been updated.