- An internal DHS review shows that analysts twice dismissed intrusion alerts on the HSIN information-sharing network as false positives.
- This effectively gave hackers about three weeks of undetected access before a breach was declared on June 4, 2026.
- The attackers, still anonymous, modified server files, executed malicious code through a legitimate web server program, deleted logs, installed backdoors, and stole credentials files.
Hackers managed to hack their way into the US Department of Homeland Security’s main information sharing platform, gaining unrestricted access to the HSIN network which hosts unclassified information relied upon by many US and international agencies.
The hack allowed attackers to modify server files, execute malicious code, and steal credentials while installing backdoors and deleting logs to remove their digital footprint.
Their movements were flagged twice by automated systems and analysts in May 2026, only to be rejected each time as false positives before an active violation was declared a month later.
Bad timing meets bad security practices?
Notably, the timing and specifics of this intrusion are details that could prove embarrassing to the U.S. government.
Not only does the HSIN network serve as a key intelligence-sharing tool for domestic and international partners during the FIFA World Cup, but it also hosts information on other major events, such as America250.
The fact that the hack was detected not once, but twice by flags before being dismissed as a false positive raises jurisdictional issues for a body that has already attracted interest, with House Homeland Security Committee staff already requesting a briefing on the intrusion.
DHS, for its part, is downplaying the incident, with a spokesperson confirming it but characterizing it narrowly: the department is “aware of a recent cyber incident involving a specific, unclassified information sharing environment” and says there is no indication that classified networks were affected.
This view is countered by Senate Intelligence Committee Vice Chairman Mark Warner, who argued that the sensitivity of the platform exceeded its classification level, saying that the information contained in HSIN, “although unclassified, is highly sensitive and its exposure risks national security.”
Investigators have yet to identify or blame any specific hacking group or organization, adding to the chaos in determining motive. The hackers deleted the logs on the servers, which only adds to the confusion.
Major implications
The important question, perhaps, is not how the breach occurred, but why confusion and misinterpretation of the security flaw allowed this flaw to become a much bigger problem than it would have been if it had been contained in the first place. Despite security alerts and analysts highlighting the flaw as early as May 15, hackers were essentially given free rein to operate until at least June 3 thanks to early reports being dismissed as false positives.
HSIN, as a platform, manages event security planning, interagency coordination, threat intelligence, and person of interest details. It is unknown whether these documents were actually copied. Investigators have not determined what, if anything, was exfiltrated, although the theft of credential files is telling: Attackers who steal credentials are, almost by definition, attempting to reach systems and accounts beyond their initial foothold.
This is not the first time HSIN has been compromised, with two previous documented incidents, including a compromised account in 2009 and misconfigured access in 2023, resulting in intentional and unintentional network breaches.
The problem is only exacerbated by the fact that DHS, as well as its cybersecurity agency, CISA, have absorbed significant staff reductions over the past year, potentially weakening its defenses against sophisticated hacks that require manual human intervention or monitoring to detect, even when the right indicators (which triggered as expected) are already in place.
Such manpower shortages have also politically polarized the US Congress and could be highlighted when the department provides more detailed information on the hack in the coming days, even as the Pentagon deals with its own OPSEC issues that are also being discussed in the same forum.
Via DefenseOne
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




