The Democratic National Committee said late Wednesday that it had mistaken an "unauthorized" security test for an attempt to hack into its voter database.
News broke Wednesday afternoon that the DNC had been notified of fake websites set up to look like legitimate logins for its staffers, prompting the DNC to notify the FBI. These kinds of attempts to breach security systems, known as phishing attacks, are a common tactic used by malicious agents to acquire usernames and passwords that can then be used to access sensitive systems.
But the DNC walked back its claim, saying that further investigation of the pages revealed that they appeared to have been an unauthorized test.
"We, along with the partners who reported the site, now believe it was built by a third party as part of a simulated phishing test on VoteBuilder," said Bob Lord, chief security officer for the DNC. "The test, which mimicked several attributes of actual attacks on the Democratic party's voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors."
A Democratic official who was not authorized to speak publicly on the matter said the websites were an unauthorized test by the Michigan Democratic Party to mimic a sophisticated phishing attempt. Vendors and others were not alerted to the test, which is why the DNC reacted strongly to it.
Lord did not clarify who or what set up the phishing pages, but said that they "took the necessary precautions to ensure that sensitive data critical to candidates and state parties across the country was not compromised."
With the midterm elections less than three months away, security experts and government officials have repeatedly warned about continued efforts by foreign governments and bad actors to penetrate political campaigns and voting systems.
The DNC and the Democratic Congressional Campaign Committee were victims of one of the most effective cyberattacks in political history in 2016, which led to the release of Democratic emails during the election season.