This story is over 5 years old.


A Hacker Is Pretending To Sell Stolen US Government Employee Data

While data might not be from OPM hack, it appears to be legitimate.
Image: The building of the Office of Personnel Management (Mark Van Scyoc/Shutterstock)

Last week, the US government human resources agency admitted that hackers had stolen the personal records of around 4 million workers.

Experts quickly pointed out that this data could be a "goldmine" for foreign spies, and "everything anyone would ever need for blackmail"—although it's still unclear exactly what data was stolen.

In any case, one thing is clear: this data from the Office of Personnel Management (OPM) might be worth a lot of money. This week, an unidentified hacker, claiming to be part of a group of cybercriminals, decided it was probably time to test this theory on the black market.


In a post on the dark web hacking forum "Hell," the same one where the hacked data from the online hookup site Adult Friend Finder was posted a couple of months ago, a hacker that goes by the name Ebolabad claimed to be behind the hack on OPM.

"Is not China. Is me. I am sell [sic] for highest bid."

"Is not China. Is me. I am sell [sic] for highest bid," the hacker wrote in broken English.

Ebolabad also shared two snippets of data appearing to belong to two government employees, data that he claimed came from "two state" databases (we're not linking to the original post to protect their personal data). Ebolabad claimed to have breached 38 databases, totalling 2.5 gigabytes of data about 4.5 million people.

Screen Shot 2015-06-09 at 1.24.52 PM.png

In an encrypted chat with Motherboard, Ebolabad claimed to have obtained the data along with ten other hackers by first breaking into a Colorado state job portal, which uses software created by a company named Neogov. From there, exploiting a cross-site scripting vulnerability, the hacker said him and his gang pivoted to other databases, including the one from OPM.

"GOVs who are charge for protect our datas should be held accountable [sic]," Ebolabad said, explaining that his alleged group wanted to expose the US government's bad data security practices.

Ebolabad, who claimed to have had access to the data for more than two years, also shared more snippets of data from the alleged OPM database, including details of a server he claimed to have hacked, and five names of other victims.


Some of the data appears legitimate. The five workers whose names and details were shared by Ebolabad with Motherboard all work in the IT department of the Library of Congress, and the data, other than one email address, were not previously made available on the open web. Yet, it seems like Ebolabad is trying to scam visitors of the Hell forum with data that actually does not come from the recent breach at OPM.

It seems like Ebolabad is trying to scam visitors of the Hell forum with data that actually does not come from the recent breach at OPM.

While OPM did not answer to Motherboard's request for comment, individuals involved in the breach investigation, who were not allowed to speak on the record, said they believe the data appears to be false. Moreover, a spokesperson for Neogov told Motherboard that OPM is not a customer.

Yet, the data Ebolabad sent me seems to be legitimate, according to experts I shared it with.

"This is definitely breached data, but from what? The big question here is: is this new breach data, or are they taking old stuff and trying to 'resell' it?" Adrian Sanabria, a security analyst at at 451 Research, told Motherboard.

Sanabria added that since some data is purportedly from Colorado, while the five alleged victims work at the Library of Congress "tells me that the data they're showing you are coming from multiple, possibly unrelated sources."

Some might even be old hacked data, which the hackers are now repurposing in the hopes of making easy money. The Library of Congress website, for example, was hacked in 2012.


Michelle Cline, a Neogov spokesperson, said the company wasn't aware of any breaches to its customers.

"This data looks like it came from a legitimately compromised server somewhere in OPM."

In any case, the bottom line is that "this data looks like it came from a legitimately compromised server somewhere in OPM," Chris Eng, the vice president of research at Veracode, told Motherboard.

"But without inside forensics information on the systems affected," Eng added, "it's impossible to connect the dots between this particular snippet and the OPM hack in the news."

Even on the Hell forum people were skeptical of Ebolabad's claims. One user said it was "probably BS," while the forum's admin called Ebolabad "a scammer."

That might very well be true, but it's also possible that Ebolabad really hacked some government websites and databases, given that OPM itself used to have questionable—to say the least—security practices.

This story has been updated to include Neogov's spokesperson response to a question on whether the company was ware of a breach to any of its customers.