https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/
shows how it was done (taking advantage of absolutely idiotic FBI software developers):
Much of that process involves filling out forms with the applicant’s personal and contact information, and that of their organization. A critical step in that process says applicants will receive an email confirmation from eims@ic.fbi.gov with a one-time passcode — ostensibly to validate that the applicant can receive email at the domain in question.
But according to Pompompurin, the FBI’s own website leaked that one-time passcode in the HTML code of the web page.
Thank you for sharing those details. :)
Goes to again... Unless they knock on your door with a warrant don’t give anybody nothin... :)
As the quote in the article said, it's fortunate that the hackers didn't use it to extort sensitive data from recipients in the name of the FBI. The FBI would never have known.