The US Congressional Budget Office confirmed that it was hacked.
Caitlin Emma, a spokeswoman for the CBO, told TechCrunch on Friday that the agency is investigating the breach and “has identified the security incident, taken immediate steps to mitigate it, and implemented additional monitoring and new security controls to further protect the agency’s systems going forward.”
CBO is a nonpartisan organization that provides economic analysis and cost estimates to lawmakers during the federal budget process, even after bills pass through House and Senate committees.
On Thursday, the Washington Post, which revealed for the first time the breach, said unspecified foreign hackers were behind the intrusion. According to the Post, CBO officials are concerned that the hackers accessed internal emails and chat logs, as well as communications between lawmakers’ offices and CBO investigators.
Reuters was mentioned that the Senate Sergeant at Arms office, the Senate’s law enforcement agency, notified congressional offices of a breach, warning them that emails between the CBO and the offices could have been compromised and used to create and send phishing attacks.
It is not clear how the hackers gained access to the CBO network. But soon after news of the breach broke, security researcher Kevin Beaumont he wrote to Bluesky that he suspected hackers may have exploited CBO’s antiquated Cisco firewall to break into the service’s network.
Last month, Beaumont noted that CBO had a Cisco ASA firewall on its network that was last patched in 2024. At the time of his post, CBO’s firewall was reportedly vulnerable to a number of recently discovered security flaws, which were being exploited by suspected hackers backed by the Chinese government.
Techcrunch event
San Francisco
|
13-15 October 2026
Beaumont said the CBO firewall had not been fixed by the time the federal government shutdown went into effect on Oct. 1.
On Thursday, Beaumont he said that the firewall is now offline.
A CBO spokesman declined to comment when asked about Beaumont’s findings. Cisco representatives did not immediately respond to a request for comment.
