There was no data breach in the cyberattack against Minneapolis Police

Last week a massive distributed denial-of-service (DDoS) attack shut down the websites and systems of Minneapolis, but there is no evidence of a breach.

Over the weekend, Anonymous demanded justice for George Floyd and threatened to ‘expose the many crimes’ of Minneapolis Police. George Floyd was killed by a white police officer by kneeling on his neck for more than eight minutes.

While widespread civil unrest escalated in the US and the protest against the brutality of the police is spreading in the principal cities, Anonymous released a video, threatening Minneapolis Police Department (MPD) that it will “expose your many crimes to the world.”

On Thursday, the city’s website was not reachable due to the cyberattack that was launched as a retaliation for the death of George Floyd.

Most of the operations at the city were restored quickly, the Minneapolis CIO Fadi Fadhil said announced that the city had put on place proactive measures to mitigate such attacks.

“Although these types of attacks are not completely unavoidable, they are fairly common, and the city of Minneapolis has proactive measures in place to respond to and mitigate disruptions when they do occur,” said Fadhil. “The city of Minneapolis IT continues to monitor its cyber platforms to ensure further disruption doesn’t happen again.”

On Sunday, while the turmoil was continuing in the US, alleged members of the group (@PowerfulArmyGR, @namatikure) announced on Pastebin that the site was hacked and leaked the database of email and passwords.

But some security experts argued that the data were not obtained as result of a security breach occurred during the DDoS attack.

The popular cybersecurity expert Troy Hunt, who operates the data breach notification site Have I Been Pawned, raised doubts of the alleged data leak.

Hunt speculates the data was amassed from past data breaches, most of the email addresses in the leak were already present in Have I Been Pawned.

Firstly, each of the random addresses I picked out appears in @haveibeenpwned, usually against credential stuffing lists which have email address and plain text pairs. In other words, this is data that’s already out there in other breaches, at least the email addresses are.— Troy Hunt (@troyhunt) May 31, 2020
What we almost certainly have here is the result of someone selecting every email address from old breaches or credential stuffing lists and passing it off as something it isn’t. There’s no evidence whatsoever to suggest this is legitimate.— Troy Hunt (@troyhunt) May 31, 2020Hunt analyzed the email in the dump and discovered that some email addresses are duplicated and are reported with different passwords, a circumstance that suggests they were originated from different sources and aggregated to appear the result of the Minneapolis Police hack.

“There are 798 email addresses in the data set but only 689 unique ones. 87 of the email addresses appear multiple times, usually twice, but one of them 7 times over.” reads the Hunt’s analysis. “I’ll come back to the passwords associated with that account in a moment, what I will say for now is that it’s extremely unusual to see the same email address with multiple different passwords in a legitimate data breach as most systems simply won’t let an address register more than once.”

Hunt discovered that of the 689 unique email addresses in the list, 654 of them are already in Have I Been Pwned. 

“The conclusion I draw from this is that a huge amount of the data is coming from aggregated lists known to be in broad circulation.” concludes Hunt.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Minneapolis Police, cybersecurity)

The post There was no data breach in the cyberattack against Minneapolis Police appeared first on Security Affairs.