Greetings! Late last night, I entered into a discussion with Kel McClanahan - the lawyer currently suing the Office of Personnel Management on behalf of two employees who believe their privacy was breached. Through Kel, I met Jay - a systems security expert with 29 years of experience - and we talked about what he found when he ran an inquiry into what subdomains were published to public Domain Name System (DNS) servers for the opm.gov domain.
What he found could be potential evidence that on-premises servers were moved to the cloud, possibly exposing private OPM employee data. There were control panels for infrastructure, what looked to be personal workstations, and other administrative level items. None of which should be publicly available. Jay noticed that after some time, several of the admin portals had stopped communicating. He ran another scan and found that more than half of them had been redacted from the public record.
The newly-redacted subdomains include the HR@opm.gov email servers, plus three load sharing appliances dedicated to load balancing (which could explain the 20 different email addresses numbered HR0 - HR19), and active admins from (presumably) offsite and possibly in a foreign country.
I asked about the OPM employee that claims someone came in and attached a box to OPM’s on-premises servers, and it turns out that would be a way to transfer the on-premises data to the cloud.
Additionally, the security certificates associated with the original on-premises mail servers no longer functioned when the data was transferred to the cloud, which could explain the reason that early tests of the HR@opm.gov email bounced back when replied to. Eventually, those security certificates were corrected - possibly leading to the second test of HR@opm.gov, and successful replies would authenticate the cloud-based servers. But whomever updated the email server certificates, failed to correct any of the other ones.
I asked why someone would want to move on-premises data to the cloud and add email servers there. Apparently, that makes it much easier to delete those servers and destroy any evidence that could be subject to future FOIA requests or subpoenas.
So while there is evidence that the entire operation surrounding HR@opm.gov was rushed, sloppy, and likely engineered by a small team of three or four people outside the agency, the much bigger problem is that while those subdomains were public, OPM email servers were compromised. Not to mention the frightening possibility that outsiders installed a box to upload opm.gov servers to the cloud for outsider access.
Couple all this with reporting from WIRED today, and you can see why there’s a bigger problem here. Vittoria Elliott writes:
Sources within the federal government tell WIRED that the highest ranks of the Office of Personnel Management (OPM)—essentially the human resources function for the entire federal government—are now controlled by people with connections to Musk and to the tech industry.
That list of people includes Amanda Scales, formerly at Musk’s xAI, and whose email address was included in one of the first OPM memos that asked employees to snitch on their DEI co-workers. It almost feels like when there was an uproar that she was included as a contact for informers, they decided they needed a more stealth and more easily-destroyable email server. The other email for snitches listed in that memo was DEIATruth@opm.gov, but that email was quickly overrun with spam and Bee Movie scripts - a problem that could possibly be averted with 20 different email addresses disguised to look like one. Had I put out a call to spam HR@opm.gov, they likely would have gone nowhere because the real email addresses were HR0 - HR19 @opm.gov
Also on that list of Musk acolytes atop OPM are Riccardo Biasini and Steve Davis, who worked for Musk at the Boring Company. According to WIRED, it’s rumored that Davis is advising Musk on DOGE cuts just as he did with Twitter cuts. I’m sure you wouldn’t be surprised to learn that the subject line of Musk’s email asking for Twitter employees to resign was also entitled “A Fork in the Road.”
There are also a couple of “software engineers” advising OPM who are 21 and 19 years old. It’s anyone’s guess as to whether they were a part of the slapdash on-premises data transfer that left OPM servers exposed.
All of this brings back memories of the Alfa Bank Trump Tower server mystery of 2016. You’ll recall that a group of computer scientists disclosed, on the basis of DNS (Domain Name System) logs, that two internet servers belonging to Alfa Bank had looked up the address of the Trump Organization server 2,820 times between May and September that year. A DNC lawyer alerted the FBI to that activity. That DNC lawyer was Michael Sussman - who was eventually indicted by Trump/Barr henchman John Durham who was tasked with investigating the Mueller probe. Sussman was acquitted of all charges, and the only apparent crime found in that investigation was one that Trump himself committed.
I urge you all to listen to this interview, and I apologize in advance for my lack of systems security knowledge. I really just wanted to bring this story to the public as best I could.
Thank you so much for listening and subscribing!
~AG
Thank you for getting this out there! I swear there are 10 of you getting news to us immediately. I don't know how you do it.
And holy crap. This is a huge. As someone who is studying cybersecurity this is a giant red flag. If the OPM servers were moved to the cloud and compromised, it wouldn't just be by Musk's team. It could very well be many foreign actors.
This is going to get ugly.
First, thank you Allison for your efforts and hard work with this because we know it has far more significance than just a little email phishing. I have no doubts federal employee privacy is extremely compromised now & this little backdoor ID numbering is just a part of The Felon Administrations Identify & Purge Program.
I wouldnt be surprised at all thst with The Felon's propaganda team( probably run by Stephen Miller) in the White House, there is no privacy.
For anyone.
Anywhere.
Anymore....
UNLESS you're an inner circle maga, RepubliFascist, multimillionaire or a billionaire & even then it's limited because they like to spy on each other.
I followed up and sent this to Rep. Khanna for the Cybersecurity, IT, and Gov innovation subcommittee of the House Oversight Committee for IP overreach. Hopefully they will look into it.
Musk has his fingers in every piece of personal data for every single American, government employee or not. Nobody is safe, and he can change, remove, or add data, both real and imagined, as needed on individuals. Does anyone still doubt that Musk and Co. changed the election results? The only answer is to take him and his team of merry men out of service, gut the computers, and start over. Everything is corrupted.
I have no doubt at all since drumpf hinted at election interference for months. What I’m puzzled about is WHY VP Harris didn’t demand inquiries into the tossed voter registrations or the votes lost from the bomb threat sites on Election Day.
Agreed. So frustrating.
Steven Spoonamore sent her a “Duty to Warn” letter about the election being stolen. He said he could prove how they did it. GregPalaste.com also has information on this.
I have to agree with you. Musk wants to rule us. Frump is too lazy and dumb to know he has been bought and paid for and in time will be in Musk's trash can.
Yes it is. I know… they have access to every employees most intimate details submitted in their background checks. This is scary.
Allison how can we get this immediately public for the majority of the people to see ?
Personally, I think we need to try to get this story to Rep. Ro Khanna, a strong Dem who’s on the Cybersecurity, IT, and Gov innovation subcommittee of the House Oversight Committee.
Incredible reporting Allison. Can this be brought to the attention of the employees if they are compromised? Unbelievable!
This is HUGE.
Hit the OPM with a FOIA as to the who authorized this expatriation of US Government systems and data, who the current cloud service provider is, and all persons having access to the data and their affiliation with the OPM and NGO’s.
A replica of that mail storage would be prime data for distribution of trackers and active surveillance. It doesn't take all that long to move that data to cloud servers with the federal government's dedicated network pipes.
Yes! And with The Felon Administration most anything at all can be procured, by whomever -- as long as their willing to cough up the right dollar amount.
I can think of many reasons why Elon and the PayPal Mafia would want to tap those fiber backbones to the Reston DCs and the entire SIPRNet infrastructure.
Exactly 😉
12 likes
ONE BIG YIKES!!!
Where is anonymous the group to hack these hackers?
Thanks Allison and Jay! I am definitely not technologically inclined, so what I got out of it was Holy shit! That sounds like a whole lot of conspiracy fucktastrophy from a hostile foreign country to obtain information about our government and its employees. Am I right?
If that's what it is, that's terrifying.
Nice job, Allison. Kudos to you.
“If you think technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology.” = Bruce Schneier
Looking at WHOIS, a complete DNS records dump of opm.gov, and a TRACEROUTE, it appears everything got rehosted within Akamai Technologies domain. The tracerouted IPs were all in the US. Akamai has a healthy Federal line of business. As a whole they’ve got people experienced enough not to screw up a rehosting… unless someone dropped this on them as a rush job. The last WHOIS record change was 1/30/25, 10 minutes after midnight EST.
Akamai will be around long after Trump is gone, and if they want a get-out-of-jail-free card when subpoenaed by a Democratic-controlled House committee after the midterms, they’ll make sure they snapshot the VMs
mail.opm.gov is also within Akamai’s domain.
It sure seems HUGE to me
Which cloud they moved to is important context here. If it's a cloud container that is FEDRAMP ATO'd and under the governance of an authorizing official there's not a lot to see here. Or, is it a private cloud container under no governance? If it's the later this should be treated as a PII breach as it runs counter to FISMA 2002 (Title III of the E-Government Act of 2002, Public Law 107-347); FISMA 2014 (Federal Information Security Modernization Act of 2014, Public Law 113-283); and OMB A-130r (Establishes PII protection policies for federal agencies).
Is there any way to find that out?
We can draw inferences from message headers and logs but without actual governance and oversight it's only inference - not fact.
BUT HER EMAILS!!! (Which they are still saying.)
Holy crap!! We are so screwed!!!
I commend Jay for explaining DNS in an email context to a lay person. Big big respect.
Trump speech on air crash:
Garbage, garbage, garbage
you don't need a cloud storage transfer device, which is what was mentioned as being used to suck data out of OPM, if you're only moving 2MM emails. 2MM email addresses would fit on a thumb drive. so what's been moved out of OPM is much, much more than just the emails of 2MM feds. Note: the emails contain someone's full name in many agencies, so they are now subject to being doxxed at will.
Why am I not shocked that there is shady stuff going on with servers? Hopeful that Federal Employees are being warned by their union not to respond to emails sent to them by anyone related to their employment or loyalty or turning in colleagues, etc.
Thanks. I work in cybersecurity and love this analysis.
Thanks Allison! I don’t understand any of it but I’m sure others will know exactly. Your work is excellent!
Great reporting. Sounds like instead of “obeying in advance”, OPM is practicing “covering up in advance”. Where there’s cover-up activity, there’s probably a crime, or at least a really good headline.
My questions to my supervisor was who wrote the email? Why wasn't any person's name attached to it? If I replied Resign could I change my mind? What if someone sent resign under my email?
Could I still be fired while on the deferred program and if not why? Who's authorized this program and who is paying for it, the losing agency or OPM?
Wondering if all of the air traffic controllers got Elon's "Fork in the Road" email? Any idea, AG?
I feel like we’re in a James Bond scenario where Musk is the antagonist wanting to conquer the world, starting with USA.
Amazing. Amazing interview. Definitely going to have to relisten since there are a few IT terms and ideas I'm not familiar with but that also makes this an amazing interview. Excellent work Allison.
Ask for the ATO (authorization to operate, which every federal system must have, which specifies what information is there, what it's for, how it's protected, etc) for the system where that data resides now, and what the system classification is based on NIST guidelines. And ask which Appendix X controls (again, NIST) are in place given the system classification. And who signed the ATO, or who signed the exemption, and who the system owner is for that system, because they are personally responsible for the security and integrity of the system and the data. However, if the system where the data is now located is not a government system then none of that would apply.
Thanks for this very informative (if not downright terrifying) article. I have a bad feeling about this. It sounds like they intend on doing a lot of illegal stuff and want a way to wipe it all if found out this is what is happening. I'm afraid we are so busy freaking out about what we can see and hear, that we are missing the really nefarious stuff going on behind the scenes. This needs to be front and center of Democrats and journalists to get the word out. And we can help, too. Thanks so much for bringing this to light.
The Alphabank activity never seemed to be run to ground. They had access to Devos' hospital, with all kinds of personal info, enough to generate vote-by-mail requests or to give donations.
This is waaay beyond my understanding, but if that information is now controlled by people with connections to Musk and to the tech industry, wouldn’t that make it easier to share with, say, Musk’s pal Putin? Could Russian hackers now have easy entry into our government computer systems?
OPM.gov data was compromised years ago. All government employees, retired employees and spouses receiving benefits had their data leaked. Everyone got notified with very limited information and no proposed remedies. An apology and explanation would have been appreciated but none given and no follow up.
😱
Thanks so much for this (and for all you do!). The names of 6 of the staff of Dodgy are now known (as well as their addresses, but I won't repost these here). But worth getting their names known, since they can know ours (and our SS#'s, bank accounts, tax returns, etc.) Akash Bobba, Edward Coristine, Luke Farritor, Gautier Cole Killian, Gavin Kliger, and Ethan Shaotran are violating the Privacy Act of 1974 which prevents the collection, use, & disclosure of personal info w/o the individual's consent. If YOU did not give them consent, THEY are commiting a crime!!
Thank you (and your guest Jay as well). I had seen vague mention of these email issues on another platform; this was a great balance of detail and technical specifics.
Elon Musk's thugs are now attempting to get access to the GSA, giving them access to remote laptops, emails and potentially secure comms, texts, etc. (Gestapo flashback!)
https://www.wired.com/story/elon-musk-lackeys-general-services-administration/
BOMBSHELL!
Wow .. the thief’s crept in during the dark of the night .. who in the hell are these people? Must be project 2025 insiders .. hmmmm
When will this hit the national news stations or does Trump control all of them?
When will this hit the national news stations or does Trump control all of them?
Excellent reporting Allison.
This is bloody terrifying.
This information is all new to me, and important. More people should be talking about this. I hope your reporting is seen in the right places. ✌🏻
Im a web guy for 30 years. This is a deliberate hack that compromised security all of that data. Creating an unauthorized dot gov email account for Elons minions
We received a more threatening warning when logging on to our gov computer. -You are accessing a U.S. Government information system, which includes (1) this computer, (2) this computer network, (3) all computers connected to this network, and (4) all devices and storage media attached to this network or to a computer on this network. This information system is provided for U.S. Government-authorized use only.
-Unauthorized or improper use of this system may result in disciplinary action, as well as civil and criminal penalties.
-By using this information system, you understand and consent to the following:
- You have no reasonable expectation of privacy regarding any communications or data transiting or stored on this information system. At any time, the government may for any lawiul government purpose monitor, intercept, search and seize any communication or data transiting or stored on this information system.
-Any communications or data transiting or stored on this information system may be disclosed or used for any lawful government purpose.
-Your consent is final and irrevocable. You may not rely on any statements or informal policies purporting to provide you with any expectation of privacy regarding communications on this system, whether oral or written, by vour supervisor or any other official, except USDA's Chief Information Officer.
-Clicking OK affirms your legal consent and agreement to the above notice.
Not that I planned to misuse my computer or talk smack about the administration but it has the essence of big brother
The Federal government is incompetent and rotten to the core. So all this harping falls on def ears. Trump is assuming the power to hire and fire any executive branch employee. This would erase the career status in Federal employment. The Supreme Court will decide.