The FBI blamed a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) for a technical mishap that allowed emails to be sent from the ic.fbi.gov domain.
“LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners,” the FBI said.
The bureau also assured that no data was affected during the technical glitch.
“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”
The FBI quickly took the “impacted hardware” offline, and fixed the “software vulnerability” before finally confirming the network integrity.
Brain Krebs reported that the sender of the e-mails was able to do so because the FBI generated a client-side unique code to log into a brand new account on LEEP, and it was sent to the FBI servers as a POST request along with an e-mail subject and e-mail address. Manipulation of the request parameters led to the e-mails being sent, and a script was used to automate the sending.