HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Romanian Hacker Sentenced for Selling Stolen Oregon Emergency Management Credentials, Exposing Employee PII

Catalin Dragomir, a Romanian national, was sentenced to 56 months after selling admin credentials stolen from Oregon’s Office of Emergency Management. The breach exposed employee personal data and affected ten other U.S. companies, underscoring third‑party credential risks for TPRM programs.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 therecord.media
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
therecord.media

Romanian Hacker Sentenced for Selling Stolen Oregon Emergency Management Credentials, Exposing Employee PII

What Happened – Catalin Dragomir, a 46‑year‑old Romanian national, pleaded guilty to aggravated identity theft and illegal access to a protected computer after repeatedly breaching Oregon’s Office of Emergency Management. He advertised and sold the stolen administrative credentials on a dark‑web marketplace, then distributed employee personal data (name, email, DOB, SSN). The same tactics were used against ten additional U.S. companies, causing at least $250 k in losses.

Why It Matters for TPRM

  • Credential‑as‑a‑service attacks can originate from any geography, bypassing traditional perimeter defenses.
  • Exposure of employee PII in a government agency raises compliance and reputational risks for downstream vendors.
  • The case highlights the need for continuous monitoring of third‑party access and robust identity‑management controls.

Who Is Affected – State and local government agencies, plus a cross‑sector set of U.S. private companies that relied on the compromised credentials.

Recommended Actions

  • Review all third‑party access agreements for privileged accounts.
  • Enforce multi‑factor authentication and least‑privilege principles on all admin credentials.
  • Deploy real‑time credential‑theft detection and dark‑web monitoring services.
  • Conduct a forensic review of any systems that may have been accessed using the sold credentials.

Technical Notes – Attack vector: sale of stolen administrative credentials via a dark‑web ad (STOLEN_CREDENTIALS). Data exfiltrated: employee name, email, date of birth, Social Security number. No public CVE was involved; the breach leveraged weak credential hygiene and lack of MFA. Source: The Record

📰 Original Source
https://therecord.media/romanian-national-sentenced-to-over-4-years-oregon-hack

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →