An old breach of PoliceOne, the long-running online community for US law-enforcement professionals, has resurfaced. The archive contains roughly 712,000 accounts in username:email:MD5:salt form from a vBulletin export dated July 2014.
The exposure is meaningful for the population it covers. PoliceOne's user base is heavy on email addresses from sheriff's departments, municipal police agencies, federal task forces, and the supporting ecosystem of dispatchers, training organizations, and procurement contacts. Domains from the Los Angeles Sheriff's Department appear, alongside a wide spread of .gov addresses from local and state agencies. Some accounts use personal email addresses that nonetheless pair with full names and signature blocks consistent with active-duty officers.
Why this one is sensitive
vBulletin breaches are usually treated as low-impact. The credentials are old, the passwords cracked easily, the forums often dead. The wrinkle here is the population. Law-enforcement officers are routinely targeted by people they have arrested or investigated, and any leak that pairs a real name with a verified work email and an IP address from a fixed location is the kind of input that a determined adversary will work with. The MD5 hashes themselves crack easily; the more concerning artifact is the metadata around them.
If you used a PoliceOne account in 2014 with a personal email address that is still in use, rotate the password and treat the email as known to anyone who has the dump.