14 DAY TRIAL // Several passwords allegedly for email accounts belonging to the Baltimore Police Department (BPD) have been spilled into the public domain by hackers associated with the Anonymous hacktivist group.
On Saturday, multiple email addresses handled by workers at the law enforcement division found their way on a public pasting website, along with several IP addresses for services used by BDP.
Passwords for seven BPD emails leaked
The incident is preceded by the protests in Baltimore caused by the death of 25-year-old African American Freddie Gray while in police custody. The six officers involved in the matter have been charged, some of the counts being second-degree murder and involuntary manslaughter.
On Monday, members of the hacker group Hagash Team disclosed on Pastebin a set of eight email addresses and the passwords for accessing the accounts.
Most of the entries are for addresses of BPD workers, but one is handled by Lisa Evans, who is a lead wellness manager at City of Baltimore, according to her LinkedIn profile.
Phishing attacks should not be underestimated
Email addresses are a great starting point for an attacker with strong social engineering skills, as they can devise phishing messages with the purpose of obtaining personal information or credentials for online accounts.
According to the message left on Pastebin by the hackers, it appears that the handlers of the initially leaked addresses fell for the phishing trap and delivered the password for the email account into the hands of the attacker.
“We are back, thanks for getting our spam and return with their passwords,” Hagash Team wrote in the entry on Pastebin.
In a tweet on Saturday, another hacker group called Anonymous Globo supporting Baltimore protests announced cyber-attacks against Baltimore PD: “#Baltimore we got ya back. Anon troops have been deployed and landed in Baltimore. We are here. Baltimore PD you should have expected us.”
Although the email addresses are legitimate, it is unclear if Hagash Team accessed the accounts, or if the passwords are the correct ones. On the other hand, an attack of this sort is plausible and it would not come as a surprise if the cache were real.