80 comments

[ 2.7 ms ] story [ 69.8 ms ] thread
I have no problem with my credentials being revoked everywhere before I know about a layoff. I don't really care how I learn about it, just please don't make me come in to the office.
> just please don't make me come in to the office.

But how do you pick up the stuff from your desk? I once lost a nice pair of headphones this way.

so, apparently, the passwords were stored in cleartext.
How on earth did someone previously convicted of what sounds like hacking get job access to so many prod government databases? Wild that it took them so long to get caught.
I had the same questions. Apparently discovery of the prior conviction is what lead to them being fired:

> When the company discovered Sohaib Akhter’s felony conviction, it terminated both brothers’ employment during an online remote meeting on Feb. 18, 2025

from https://www.justice.gov/opa/pr/federal-jury-convicts-virgina... which is a better source on this.

That prompts the question of why background checks are so lax that they were hired before this was discovered.

And I recently couldn't get a job through a federal contractor for a federal position (requiring NO security clearance) because they didn't like something on my credit report.
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.

It should be a federal crime with prison time to make a DB for a federal agency and not hash and salt passwords or other auth credentials.

It's probably some sort of crusty old application written before salt and hash was SOP. No agency is going to spend money on hardening something non-critical unless there's an incident or there's free money to do so. And that application was likely written by some contractor who's no longer around or has the source code available so any fixes would require an entire redo. And while you're redoing the whole thing, let's add in a bunch of features and scope creep to balloon the cost and schedule. Oops, the new contractor writing the app is overrun so let's bail and go back to the old version.
> At 4:58 pm, he wiped out a Department of Homeland Security database using the command “DROP DATABASE dhsproddb.”

This article is hilarious. The two bickering brothers remind me of the guys in the Oceans movies played by Casey Affleck and Scott Caan. It’s amazing they got this close to sensitive data.

> At 4:59 pm, he asked an AI tool, “How do i clear system logs from SQL servers after deleting databases?” He later asked, “How do you clear all event and application logs from Microsoft windows server 2012?”

So many red flags, I can't even.

Those are not red flags. Those are the actual thing. I think red flag is a heuristic that warns you about a course of action.
Are you a man?

Yes, 19.

Are you alive?

Yes, 18!

Evel Knievel.

They also come off as a little bit rosencrantz and guildenstern imo

As somebody who's spent most of my career in Fairfax County I find nothing about this story even remotely surprising.
It’s crazy that people are desperate for jobs and these clowns get hired.
Well, who else would you hire for the circus?
Maybe they're really, really good at leetcode. You can't pass up talent like that. </sarcasm>
> Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter.

WTF?

Nice handwritings, though.
> [Opexus] said that “the individuals responsible for hiring the twins are no longer employed by Opexus.”

Getting close to the classic Monty Python line: "Those responsible for sacking the people who have just been sacked, have been sacked."

Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately, (b) never give second chances to anyone with any sort of criminal record (even say decades old marijuana posession or something).

I'd prefer a more balanced version: limit unilateral access to sensitive systems in general (not just of recently-fired employees), when someone is fired immediately shut off particularly sensitive credentials if they do exist (but not their general-purpose login/email account), avoid hiring people convicted of wire fraud as sysadmins, hash your @!#$ing passwords, etc.

Privileged access should only be temporary in context of break glass with approval. People can go ballistic with core systems for reasons other than firing.
the problem is that its so challenging to figure out what the person actually has access to. Have they ever done a export with sensitive information, that is now sitting on their local machine? Any important clients they still are in contact with over email that they may try to sabotage? Any other creative endeavors you haven't thought through?

The most fool proof way is just to nuke the computer in its entirety.

I once worked at a company where one Active Directory server was storing all passwords in plain text. Just think of the havoc someone could do with a dump of that.
I think mature sysadmins accept there's a certain .. bushido to their security-critical role. It is after all their job to respond to security threats, including by revoking credentials, and to recognize that they might fall on the wrong side of that some day.

But things are different both in small companies, and non-US environments where minimum notice periods or redundancy consultations are a thing. You may put people on "gardening leave" where they're still paid but not actually working. Or it may be the case that the sysadmin is the one person who knows and controls a lot of stuff, and the employer has ended up relying on them for a smooth handover. Password and role management for the "root" of things is a real problem.

I don't think you understand how this works. The second person was hired because the first one wined at his manager until he was hired. Presumably this was part of a whole chain and that would make me understand why “the individuals responsible for hiring the twins are no longer employed by Opexus.” was a good idea.
A true professional always makes sure to leave their workspace completely spotless before going home
> On March 12, 2025, a search warrant was executed at Sohaib’s home in Alexandria. Agents grabbed plenty of tech gear but also turned up seven firearms and 370 rounds of .30 caliber ammunition. Given his former crimes, Sohaib should have had none of this.

For god's sake, don't commit crimes while you're committing crimes.

> Given his former crimes, Sohaib should have had none of this.

Nobody should have a personal armory.

It's funny how it's never just one thing.

In my region of the world a crackdown on street racing started a few years ago. It continued because each night the police stopped someone, there was at least one DUI and suspended license.

Unsurprisingly those who disregard traffic rules tend to equally disregard other rules.

How did they get access to 5k passwords? Are they being sent/stored in cleartext? This is the most baffling part of the article for me.

The second part I'm unclear about is how you could pass SOC2 when you aren't terminating account access simultaneously with the employment termination.

I don’t think you understand what SOC2 is.

First of all, it is viral, and it is almost never adopted based on its own technical merit.

Second, it has lots of levels. The first level is “we wrote down a plan explaining how we’re going to secure stuff”.

The second level is when you start implementation or maybe tracking or something.

The key thing is that first level: When your SOC2 dept says you have to do something idiotic for SOC2 compliance, it is because someone at your company invented the idiocy, and should be fired. However, you still need to follow their dumb plan because that’s the process.

In this case, the “how do we fire people” process, and “how do we prevent one llm from dropping 96 prod DBs in a single session” very well could have had answers in the plan, the plan could have been implemented, and therefore the company is still soc2 compliant, and this is exactly what a working soc2 process is supposed to look like.

Deleting data like that is a crime investigated by the FBI. In a very sad story, a brilliant former coworker made a mistake of deleting data after leaving employment and ended up in prison. Brilliant guy, momentary mistake. Overzealous employer.
prosecute the company too.

storing passwords in plaintext should be persecuted & having unlimited access to customer databases.

imagine the delete-fest the current whitehouse is going to do in a few years

all with pardons waiting so they can't be convicted

they might not even wait a few years

(comment deleted)
Some good handwriting
The penmanship of the guy is extremely neat, like, uncannily so
> While this was going on, the brothers held a running conversation. (The government is not clear about whether this took place over text, instant message, or in person.)

Explain to me how we can have a transcript of a conversation without knowing whether it was in person or not. I'm baffled by this sentence.

This is very surprising that they would pass a background check. I've been denied an offer because of a low credit score multiple times.
This whole story is just line after line of utter incompetence.

The "after they were fired" sounds catchy, but isn't even the biggest failure.

This organization shouldn't be permitted anywhere near government, or any non-public, data/information.

He may be a bad person but he has a very pretty handwriting.
(comment deleted)