• 2 min read
DHS missed HSIN hack twice before declaring breach
Analysts twice dismissed HSIN intrusion alerts as false positives, giving attackers about three weeks inside a key DHS information-sharing network.

Image: TechRadar
Attackers spent roughly three weeks inside the US Department of Homeland Security’s HSIN network after analysts twice dismissed intrusion alerts as false positives, according to an internal DHS readout cited by DefenseOne.
The breach was declared on June 4, 2026, but warning signs had already appeared in May 2026. During that time, the still-unidentified attackers were able to alter server files, run malicious code through a legitimate web server program, delete logs, install backdoors, and steal credential files.
HSIN is DHS’s main information-sharing platform for unclassified material used by multiple US agencies and international partners. The timing is especially awkward: the network supports coordination around major events including the FIFA World Cup and America250.
What attackers did on the HSIN network
Investigators have not yet identified the group behind the intrusion or determined what data, if any, was exfiltrated. But the theft of credential files suggests the attackers may have been trying to move beyond their initial access into other systems and accounts.
The deletion of logs has also made the investigation harder. According to the report, automated systems and analysts flagged suspicious activity as early as May 15, yet the incident was not treated as an active breach until at least June 3.

Recommended reading
11-byte HollowByte attack can bloat OpenSSL memory
A DHS spokesperson confirmed the incident but sought to narrow its scope, saying the department is “aware of a recent cyber incident involving a specific, unclassified legacy information sharing environment” and that there is no indication classified networks were affected.
“while not classified, is highly sensitive, and its exposure risks national security.”
Prior HSIN incidents and political fallout
This is not the first known HSIN security lapse. The platform previously saw a compromised account in 2009 and misconfigured access in 2023, leading to both intentional and unintentional breaches.
The incident is also likely to intensify scrutiny of DHS and CISA, both of which the source says have absorbed significant workforce cuts over the past year. The House Homeland Security Committee staff has already requested a briefing, and the department is expected to face tougher questions in the coming days as investigators work out what the attackers reached — and what they may have taken.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via TechRadar


