HackFirstAidMunicipal
Case study

The defaced library homepage at 11pm on a long weekend.

A CivicPlus credential-stuffing hit, a public-facing page rewritten, and a 19-minute response that kept residents informed.

Size
β‰ˆ58,000 residents
Vector
Credential stuffing on a municipal CMS admin account
Jurisdiction
US municipality (county-seat city)
Outcome
Page restored in 19 minutes; no resident data exposed; admin MFA rolled out site-wide the next business day.

Illustrative composite. Real incident shape, anonymized municipality.

Sunday, 10:47pm, of a long weekend. A resident texts the city's communications director: the library's homepage now displays a political slogan in Cyrillic and a meme. The resident has screenshotted it and is asking if it's real.

10:52pm. The communications director can confirm it's real on her phone. She calls the on-call IT lead. The IT lead opens the CMS admin portal β€” and the library editor account is logged in from an IP in Eastern Europe, last activity two minutes ago.

10:58pm. IT revokes all sessions for the library account, forces a password reset, and disables the account entirely. The CMS vendor's after-hours line is called; a P1 case is opened and flagged as Security.

11:06pm. The defacement is reverted from the CMS revision history. The page is restored to its prior version. Total visible-to-public window: 19 minutes from first report.

11:18pm. The communications director posts a short note on the city's official social channels (not the CMS): "The library website was briefly altered tonight. The page has been restored. No resident data was accessed. We will share more after our review." Three sentences, no speculation, no threat-actor naming.

Tuesday. CMS vendor confirms the entry vector: credential reuse. The library editor's password matched a credential from a 2022 third-party breach in HaveIBeenPwned. No other accounts in the tenant were compromised. The city enforces MFA on every CMS admin and editor account within 24 hours.

What went right. A resident knew which staffer to text. The on-call IT lead actually answered. Session revocation before password reset (the right order). A short, factual public statement from an off-CMS channel. CMS revision history made restoration trivial.

What didn't. MFA had not been enforced on CMS editor accounts β€” only on admins. The library account's password had not been rotated in three years. There was no automated alert on logins from new countries; the only reason anyone found out was a resident's text message.

Lessons

Things every small municipality can copy.

  • β€’ Enforce MFA on every CMS editor account, not just admin accounts.
  • β€’ Post a short, factual update from a non-affected channel within the first hour.
  • β€’ If your CMS supports it, enable login-from-new-country alerts β€” they're often the cheapest early-warning signal you have.
More case studies

Other mornings worth rehearsing.

Ransomware (known family, decryptor available)

A 12,000-population town's first 90 minutes.

Ransomware across permitting, tax, and utility billing β€” handled before lunch.

Business email compromise (BEC) targeting accounts payable

The wire that almost left on a Friday afternoon.

A treasurer's mailbox compromise caught by a paper countersign rule β€” with eleven minutes to spare.