Facepalm: The Michigan Democratic Party conducted a penetration test on the DNC's national voter database but forgot to warn the DNC in advance. The DNC freaked out and reported it to the FBI.
This past Tuesday, the Democratic National Committee reported to the FBI that it had been targeted by a sophisticated cyberattack and they were proud of the fact that they had thwarted the attack. In a surprise reversal today, the DNC announced it was all a false alarm. It turns out the "attack" was just a friendly security test done by some volunteers and researchers in Michigan.
The incident consisted of a phishing attack to gain access to the party's master voter database. The firm conducting the test, DigiDems, created a fake login page that was emailed to DNC officials. This page would then steal the password of anyone that tried to log into the VoteBuilder database. This is a closely guarded list containing the personal information of registered democratic voters and donors. It could be extremely valuable to adversaries so access is closely monitored.
In a statement to NPR, a party official described the test as being actually carried out by white hat workers at the Michigan Democratic Party. Unfortunately, members of the state party never communicated to the national office about the test.
This kind of penetration tests are very common in the industry as a way to find weak points in an institution's security. However, the company whose security is being tested usually knows about such a test in advance.
DNC security officer Bob Lord said in a statement that "there are constant attempts to hack the DNC and our Democratic infrastructure, and while we are extremely relieved that this wasn’t an attempted intrusion by a foreign adversary, this incident is further proof that we need to continue to be vigilant in light of potential attacks.”
The DNC was attacked by Russian hackers during the 2016 election so it's no surprise they are on high alert for future incidents.