Hackers breached DHS after alarms were twice ruled 'false positives'

Department of Homeland Security logo on a flag
(Image credit: Shutterstock)

  • An internal DHS readout shows analysts twice dismissed intrusion alerts on the HSIN information-sharing network as false positives
  • This effectively gave hackers roughly three weeks of undetected access before a breach was declared on June 4 2026
  • The as-yet anonymous attackers altered server files, ran malicious code through a legitimate web-server program, deleted logs, installed backdoors, and stole credential files

Hackers managed to find their way into the US Department of Homeland Security's primary information sharing platform, gaining unfettered access to the HSIN network that hosts unclassified information that multiple US agencies and international rely on.

The hack allowed the attackers to modify server files, run malicious code and steal credential files while installing backdoors and deleting logs to remove their digital footprint.

Their movements were flagged twice by automated systems and analysts in May 2026, before being dismissed as a false positive each time before an active breach was declared a month later.

Latest Videos From

Bad timing meets bad security practices?

The timing and specifics of this intrusion are, in particular, details which could prove to be embarrassing for the US government.

Not only does the HSIN network serve as a key intelligence-sharing tool for both domestic and international partners during the FIFA World Cup, but it also hosts information on other major events, such as America250.

The fact that the hack was picked up not once, but twice by flags before being dismissed as a false positive raises competency concerns for an instance that has already sparked interest, with the House Homeland Security Committee staff having already requested a briefing on the intrusion.

The DHS, for its part, is downplaying the incident, with a spokesperson confirming it but characterizing it narrowly: the department is "aware of a recent cyber incident involving a specific, unclassified legacy information sharing environment" and states there is no indication that classified networks were affected.

This viewpoint is countered by Senate Intelligence Committee Vice Chairman Mark Warner, who argued the platform's sensitivity outstrips its classification level, saying that the information in HSIN, "while not classified, is highly sensitive, and its exposure risks national security."

Investigators have yet to identify or assign blame to a particular hacking group or organization, adding to the chaos in determining motive. The hackers have deleted logs on servers, which only adds to the confusion here.

Major implications

The important question, perhaps, is not how the breach happened, but why confusion and mischaracterization of the security lapse allowed it to become a much bigger issue than it would have been if it had been contained from the start. Despite security flags and analysts highlighting the breach as early as the 15th of May, the hackers essentially had free rein to operate until at least the 3rd of June thanks to initial reports being dismissed as false positives.

HSIN as a platform handles event security planning, interagency coordination, threat information, and details on persons of interest. Whether any of that material was actually copied remains unknown. Investigators have not determined what, if anything, was exfiltrated, though the theft of credential files is itself telling: attackers who steal credentials are, almost by definition, trying to reach systems and accounts beyond their initial foothold.

This is not the first time HSIN has been compromised, with two documented previous incidents, including a compromised account in 2009 and misconfigured access in 2023, that have resulted in intentional and unintentional breaches of the network.

The issue is only exacerbated by the fact that the DHS, along with its cybersecurity agency, CISA, has absorbed significant workforce cuts over the past year, potentially weakening its defenses against sophisticated hacks that require manual human intervention or oversight to detect, even when the correct flags (which triggered as intended) are already in place.

Such manpower shortages have also been politically polarizing in the US Congress and may be highlighted when the department provides more detailed information about the hack in the coming days, even as the Pentagon deals with its own OPSEC issues that are also being aired in the same forum.

Via DefenseOne


Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.


Rahim Amir
Contributor

Rahim Amir is a UAE-based tech writer who enjoys building PCs as much as he enjoys writing about them. He has been professionally writing about PC hardware since 2023, focusing on buyer’s guides, hardware reviews, and sponsored content and features related to tech.

Having built hundreds of gaming PCs and being an avid gamer in his spare time, Rahim tends to have stronger opinions about hardware than most. This is particularly on display when he gets his way with powerful, but minimalistic RGB builds even as Small Form Factor (SFF) PCs come a close second.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.