Claims that the FBI’s website has been hacked using a zero-day vulnerability in Plone are false, according to the developers of the open source content management system (CMS).
On January 1, an individual using the online moniker CyberZeist (aka le4ky) leaked roughly 150 fbi.gov email addresses and what appeared to be SHA-1 password hashes and their associated salts. CyberZeist claimed to have obtained the information after exploiting a Plone zero-day flaw that has allegedly been sold on a dark net website.
Plone developers have analyzed the screenshots and information made available by CyberZeist and determined that it’s likely just a “hoax.”
Plone is considered a highly secure CMS and the fact that it has been used by the FBI and various other U.S. government organizations is not a secret. However, that may be the only truth in the post published on Pastebin by CyberZeist, who claimed to have carried out the attack on behalf of the Anonymous hacktivist movement.
The developers of Plone said some of the screenshots have been faked, while others simply don’t back the hacker’s claims. Furthermore, the leaked email addresses show up in several older leaks, and the password hashes and salts are not consistent with ones generated by Plone. The credentials were allegedly obtained from .bck backup files, but this extension is not used by the Plone backup system.
“It is extremely easy to fake a hack like this. It takes only rudimentary Photoshop skills or use of the Chrome JavaScript developer console,” said Nathan Van Gheem of the Plone security team.
Plone also pointed out that the so-called zero-day exploit is up for sale for 8 bitcoins ($9,000), but since it’s not possible to obtain refunds on such transactions, experts believe it’s likely a scam.
“We don’t believe the FBI is his target; it is more likely that he is using this high profile site as a way of advertising fake exploits for sale,” Plone representatives said. “There is no reason to believe that his claims are genuine and we remind all website administrators to be wary of social media users claiming to have bugs for sale.”
CyberZeist has claimed to have found vulnerabilities in the websites of several major organizations in the past months, but he hasn’t provided any solid proof to back his claims. Furthermore, he has been known to fake data leaks.
Related Reading: News or Ruse? How Cyber Situational Awareness Can Help You to Distinguish
Related Reading: Hundreds Access Fake Bank Account Data “Leaked” to Dark Web
Related Reading: eBay, Security Experts Say Database Dump is Fake

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
