Hackers breached the Department of Homeland Security's Homeland Security Information Network (HSIN), a platform federal, state, local, and private-sector partners use to share sensitive but unclassified information.
What happened
An unknown threat actor breached HSIN sometime between late May and early June 2026. The attackers targeted HSIN servers and a SharePoint system used for collaboration. DHS has not attributed the attack to a specific actor or foreign government, and investigators have not yet determined whether the attackers stole any documents. DHS isolated the affected systems, mitigated the vulnerability, and launched a forensic investigation. The department's Office of Intelligence and Analysis conducted a damage assessment. DHS says classified networks were not affected and the system remains operational for partners.
TechCrunch reported that the House Homeland Security Committee has since requested a briefing from DHS on the incident, and Senate Intelligence Committee Vice Chairman Mark Warner (D-Va.) has publicly pressed DHS and the Department of Justice to determine who breached HSIN and what they accessed.
The backstory
HSIN suffered a prior security incident in 2023. A contractor's coding error misconfigured access permissions within HSIN-Intel, the platform's intelligence section, setting them to "everyone" instead of a limited authorized group. This exposed sensitive data from people in the U.S. and other personally identifiable information to all HSIN users. The exposure lasted roughly two months, from March to May 2023, and reportedly made sensitive U.S. person data as well as FBI and National Counterterrorism Center material readable by tens of thousands of users who were never cleared to see it, according to an internal DHS oversight memo obtained by the Brennan Center for Justice and reported by Security Magazine.
What was said
DHS told BleepingComputer, "The Department of Homeland Security is aware of a recent cyber incident involving a specific, unclassified legacy information sharing environment." The department added, "We immediately took action to isolate the affected systems, mitigate the vulnerability, and launch a comprehensive forensic investigation. There is no indication that classified networks were impacted, and the system remains operational for our partners. As this is an ongoing investigation, we cannot provide further operational details at this time."
Sen. Warner stated, "The information in HSIN, while not classified, is highly sensitive, and its exposure risks national security," and calling on DHS and the DOJ to determine who was behind the breach and to make sure partners get the information and tools they need to manage any resulting risk.
In the know
HSIN lets approved users access data, exchange requests with partner agencies, manage operations, coordinate safety and security for planned events, respond to incidents, and share critical information to protect their communities. The platform supports real-time communication, alerts, and incident management, and is also used to exchange information about persons of interest and potential threats.
DHS designs the platform around what it calls "FSLTTIP" partners which include federal agencies, state governments, local law enforcement, tribal nations, territorial governments, international partners, and private-sector operators, spanning everything from state police and emergency management offices to critical-infrastructure companies.
Why it matters
This breach hits a system that agencies rely on to coordinate real-time responses to active threats. Since the United States is currently overseeing security for World Cup games hosted across the country, unauthorized access to HSIN raises the possibility that security planning, interagency coordination, or response procedures tied to those events were exposed.
Warner also noted that HSIN played a role in coordinating the emergency response to the January 2025 mid-air collision between an American Airlines regional jet and an Army Black Hawk helicopter over Washington, D.C., which killed 67 people, and that the platform was separately supporting security planning for America250, the country's semiquincentennial celebrations.
The bottom line
DHS says classified systems weren't touched and HSIN remains operational, but the investigation is still open and it's unclear whether any documents were taken. With security operations like the World Cup underway, partner agencies relying on HSIN should watch for updates from DHS as the forensic investigation continues.
FAQs
What is the Homeland Security Information Network used for?
It's a DHS platform that lets government, international, and private-sector partners share sensitive but unclassified information, coordinate incident response, and manage security for planned events.
How is unclassified information different from classified information in government systems?
Unclassified information isn't subject to the same restricted-access controls as classified data, but it can still be sensitive enough that its exposure creates real security or privacy risks.
What is double-checking or forensic investigation in a cyberattack response?
It's the process security teams use after a breach to determine how attackers got in, what they accessed, and how to close the vulnerability that let them in.
Why would attackers target an information-sharing platform instead of a single agency's network?
An information-sharing platform can offer access to data and communications from many connected organizations at once, making it a high-value target.
