from Hacker News

DOGE engineer's credentials found in past public leaks from info-stealer malware

by lysp on 5/9/25, 7:22 AM with 163 comments

  • by whacko_quacko on 5/9/25, 8:43 AM

    I don't see any evidence that this should be the case. My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?

    Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism

  • by dev_l1x_be on 5/9/25, 8:22 AM

    > a strong indication that devices belonging to him have been hacked in recent years.

    I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.

  • by palata on 5/9/25, 10:06 AM

    Seems like people here assume that passwords were found on Have I Been Pwned. It's more than that, it's about "stealer malware":

    > [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.

  • by ndsipa_pomu on 5/9/25, 8:08 AM

    Does the USA have an authority that can deny privileged data access to someone that has such poor operational security? Revoke security clearances, that kind of thing.

  • by tjpnz on 5/9/25, 11:02 AM

    Under normal circumstances if that system were connected to an internal network there would be a cleanup (and the costs would be astronomical). I say normal circumstances because I fully expect these clowns to obfuscate, omit and deny everything for the next four years.

  • by sys_64738 on 5/9/25, 12:08 PM

    All thee DOGE dudes are destined to spend life imprisoned on Alcatraz. The scope of the antics done by these people and the downright disregard for security, ethics, law, and the Constitution, all make them the right people to make examples of.

  • by ChrisArchitect on 5/9/25, 2:19 PM

    Source:

    DOGEs K Schutt's computer infected by malware, credentials found in stealer logs

    https://news.ycombinator.com/item?id=43930267

  • by ninalanyon on 5/9/25, 7:26 PM

    Was he using his own computer? He should surely have been using one provided by the institution. In a properly secured system he should not have needed passwords to connect to databases, they should have been secured by something like Active Directory roles and certificates. Do any of these US institutions have any idea of proper security?

  • by constantcrying on 5/9/25, 3:48 PM

    The article title suggests that this is about his current PC which he is using at the agency. That is totally false.

    In fact the story is that at someone point in the past at least in 2013 some credentials of his landed in multiple breaches. Some of my credentials also appear there, this of course means nothing at all about his current account security or the security of the data.

    I don't even know what the allegations are. Can you not ever work for a government agency when any account of yours gets compromised? Databreaches aren't that uncommon, presumably many people here have some credentials leaked, do you think these people should be excluded from working jobs in the government?

  • by Incipient on 5/9/25, 1:04 PM

    Haha noice.

    I don't think anyone really needs to express more at this point.

  • by guiambros on 5/10/25, 8:59 PM

    Garbage clickbait article.

    Buried down the text, they have the plausible deniability disclaimer:

    "As Lee notes, the presence of an individual’s credentials in such logs isn’t automatically an indication that the individual himself was compromised or used a weak password. In many cases, such data is exposed through database compromises that hit the service provider. The steady stream of published credentials for Schutt, however, is a clear indication that the credentials he has used over a decade or more have been publicly known at various points."

    Of course "credentials have been exposed": the vast majority of sites have been hacked. It doesn't mean this person used the same credentials everywhere, AND that they didn't use 2FA, AND that the credentials matter in the first place. And, of course, this has absolutely nothing to do with malware.

    Shame on you ARS for publishing purely speculative posts.

  • by mystified5016 on 5/9/25, 1:49 PM

    They're saving the government lots of money by streamlining the data exfiltration.

  • by amelius on 5/9/25, 9:26 AM

    > “At this point it's difficult not to suspect their awful 0pSec is a choice, and that there are specific people (ahem cough cough the Russians cough) to whom they're leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda,” one critic wrote on Mastodon.

    Good point.

  • by gitroom on 5/9/25, 10:10 AM

    Honestly, stuff like this always makes me double check my own passwords and habits. Bunch of people just roll with the same easy setup for years and act surprised later. Gotta be careful, for real.

  • by joejoo on 5/9/25, 8:57 AM

    Now imagine how many normie, computer-illiterate federal employees in fairly sensitive roles have had various credentials leaked over the past few years.

  • by epanchin on 5/9/25, 9:16 AM

    This article is reaching.

    I’ve logged onto secondary email accounts from PC’s that weren’t mine and could well have been infected. That’s what 2FA is for.

    I wouldn’t use a PC which isn’t mine to login to anything sensitive. A password in a leak isn’t evidence of anything.