Update: After the publication of this story, another source provided Motherboard with the full PoliceOne database. In all, it contains 715,588 entries. However, the source said that this data has already been publicly distributed for some time, and that Bekrut did not hack the site. Bekrut did not respond for Motherboard's request for comment.
The original story follows below:
A hacker is selling a database allegedly containing over 700,000 user accounts from a popular law enforcement forum. The site, PoliceOne, is used by verified police officers and investigators to discuss tactics, weapons, and other specialist topics.
With the account information, criminals may be able to access "private messages and posts," the hacker who goes by the handle Berkut and is selling the data told Motherboard in an online chat.
"Emails from NSA, DHS, FBI and other law enforcement agencies as well as other US government agencies," Berkut's listing on the Tochka dark web market reads. Berkut is selling the full database, which allegedly includes around 715,000 user accounts and dates from 2015, for $400. The hacker said they had already sold the database on other forums.
According to its website, "PoliceOne.com is the #1 resource for up-to-the-minute law enforcement information online. More than 500,000 police professionals nationwide are registered PoliceOne members and trust us to provide them with the most timely, accurate and useful information available anywhere." To access specific sections of the forum, such as those covering training or other law enforcement centric discussions, applicants need to prove they are a law enforcement official; according to the site, PoliceOne will call the officer's department directly. Members of the public can read less sensitive sections of the site.
Berkut provided Motherboard with several samples of the data for verification purposes. The files contained usernames, email addresses, alleged member join dates, and passwords hashed with the out of date MD5 algorithm, meaning that they could be relatively easy for a hacker to crack. However, the passwords also included salts—random strings of characters used to make a hash more resilient.
The files did indeed contain valid email addresses from the NSA and other US government agencies; one file allegedly contained over 3,000 account details for Homeland Security staffers.
To verify that emails in the dump were connected to real accounts on PoliceOne, Motherboard attempted to create new users with a random selection of email addresses. Out of 15 addresses, 14 were already registered on the site. While reporting on this story, the Police One website went temporarily offline. Motherboard attempted to contact victims of the dump, but did not receive any responses in time for publication.
Bekrut claimed he breached the site using an exploit for vBulletin, a notoriously unsecure piece of forum software. According to a Google cache of the PoliceOne site, it was recently using vBulletin version 4.2.3; plenty of public exploits are available online for this version.
"We have confirmed the credibility of a purported breach of the PoliceOne forums in 2015 in which hackers were potentially able to obtain usernames, emails and hashed passwords for a portion of our members. While we have not yet verified the claim, we are taking immediate steps to secure user accounts and our forums, which are currently offline while we investigate and gather more information," a spokesperson for PoliceOne told Motherboard in an email.
"While we store only limited user data and no payment information, we take any breach of data extremely seriously and are working aggressively to resolve the matter. We will be notifying potentially-affected users as a matter of priority and requiring them to change their passwords," he added.
"At PoliceOne, we take your safety and protection of sensitive law enforcement information we provide very seriously," the website reads.