- An internal DHS readout shows that analysts twice dismissed intrusion alerts on the HSIN information-sharing network as false positives
- This effectively gave hackers approximately three weeks of undetected access before a breach was declared on June 4, 2026
- The as-yet-anonymous attackers modified server files, ran malicious code through a legitimate web server program, deleted log files, installed backdoors, and stole credential files
Hackers managed to break into the US Department of Homeland Security’s primary information-sharing platform, gaining unfettered access to the HSIN network, which hosts unclassified information that several US and international agencies rely on.
The hack allowed the attackers to modify server files, run malicious code and steal credential files, while installing backdoors and deleting logs to remove their digital footprint.
Their moves were flagged twice by automated systems and analysts in May 2026 before being dismissed as a false positive each time before an active breach was declared a month later.
Bad timing meets bad security practices?
The timing and details of this intrusion are particularly details that could prove embarrassing for the US government.
The HSIN network not only serves as a key intelligence sharing tool for both domestic and international partners during the FIFA World Cup, but also hosts information on other major events such as the America250.
The fact that the hack was picked up not once, but twice by flags before being dismissed as a false positive raises competency concerns for an agency that has already drawn interest, with House Homeland Security Committee staff already requesting a briefing on the intrusion.
DHS, for its part, is downplaying the incident, with a spokesman confirming it but narrowly characterizing it: The department is “aware of a recent cyber incident involving a specific, unclassified legacy information-sharing environment” and says there is no indication that classified networks were affected.
This view is countered by Senate Intelligence Committee Vice Chairman Mark Warner, who argued that the platform’s sensitivity exceeds its classification level, saying that the information in the HSIN, “although not classified, is highly sensitive and its exposure risks national security.”
Investigators have yet to identify or assign blame to a specific hacker group or organization, adding to the chaos in determining the motive. The hackers have deleted logs on servers, which only adds to the confusion here.
Big consequences
The important question may not be how the breach happened, but why confusion and mischaracterization of the security lapse made it a much bigger problem than it would have been had it been contained from the start. Despite security flags and analysts highlighting the breach as early as May 15, the hackers had largely free rein to operate until at least June 3 thanks to initial reports being dismissed as false positives.
HSIN as a platform handles event security planning, inter-agency coordination, threat information and details of persons of interest. Whether any of this material was actually copied remains unknown. Investigators haven’t determined what, if anything, was exfiltrated, though the theft of credential files is telling in itself: Attackers who steal credentials are almost by definition trying to reach systems and accounts beyond their original foothold.
This is not the first time HSIN has been compromised, with two documented previous incidents, including a compromised account in 2009 and misconfigured access in 2023, resulting in intentional and unintentional network breaches.
The problem is only exacerbated by the fact that DHS, along with its cybersecurity agency, CISA, has absorbed significant workforce cuts over the past year, potentially weakening its defenses against sophisticated hacks that require manual human intervention or monitoring to detect, even when the correct flags (triggered as intended) are already in place.
Such manpower shortages have also been politically polarizing in the US Congress and could be highlighted when the department provides more detailed information about the hack in the coming days, even as the Pentagon deals with its own OPSEC issues that are also being aired in the same forum.
Via DefenseOne
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



