The majority of the leaked passwords and logins belonging to Minneapolis city employees were already available from other breaches.
As protests spread across the country over George Floyd’s death in Minneapolis, cyberattacks also targeted the Minnesota’s city’s police department. On Sunday, the hacker group Anonymous took credit for an attack that took down the Minneapolis police department’s website, and also published a set of email addresses and passwords it claimed to have stolen.
But a deeper look at the leaked 798 email addresses and passwords suggest that there wasn’t any data stolen at all and it was actually repackaged data from previous, unrelated cyber attacks. Troy Hunt, security researcher and founder of the “Have I Been Pwned” database, looked at the list of released login credentials and found that 95% had already been revealed in older breaches.
In entirely new breaches, Hunt said you usually don’t see over 80% of repeats. Using old, stolen credentials with a different framing is not new, as cybercriminals will often compile billions of accounts to sell as if they’re new batches. In April, conspiracy theorists spread a document with 25,000 leaked email addresses and passwords belonging to members of the World Health Organization and the Centers for Disease Control, also compiled from older hacks.
With the latest leak, the hacker group appears to be taking advantage of outrage against police brutality and using it to spread disinformation online.
“There’s this social outrage in Minneapolis and people want to believe that a bunch of cops have been hacked,” Hunt said in an interview. “For a lot of people, Anonymous is symbolic of what social justice is.”
There had been multiple signs for Hunt that the leaked credentials were not from a new breach. Beyond the fact that 95% of them were already publicly available, he had found 87 instances of email addresses that repeated. If it were a legitimate hack, the database would not have the same email addresses with different passwords, he said.
The number of weak passwords in the dataset also set off alarms, Hunt added. He had found passwords that were just two letters or PIN codes, which are highly unlikely to be allowed for logging into a major city’s internal networks.
What’s most likely is that the so-called leak came as a compilation of “@minneapolis.mn.us” email addresses with passwords from previous breaches, including from websites like LinkedIn, Hunt said.
Some of the passwords and emails do work for other accounts. Hunt said a reader had reached out and found that one of the credentials worked for logging into a Minneapolis employee’s Twitter account. That is likely due more to the majority of people reusing passwords for multiple accounts than it being a new breach.
“When you add all these things together, and you look at the social engineering side of it, the fact that this preys on people’s moral outrage, the whole thing ends up reeking of fabricated data getting more air time,” he said. “People should be outraged, but that doesn’t suspend fact-checking and reality.”