- Are there really 20,000 FBI agents? That seems like an awfully big number.
- Did the hacker get this information by exploiting technology vulnerabilities, or some other way?
The second question is answered by this article. Assuming that information is accurate and complete (and I feel foolish even considering that, given it's sourced by a news organization), the information was obtained by good old-fashioned Kevin Mitnick-style “social engineering”. The hacker tricked someone into giving him access to a classified account. No special technical knowledge required. This is very often the case – the very best, most perfectly maintained security technology can easily be bypassed if a hacker can trick an authorized user into letting him in.
Not long ago I read a version of this social engineering that involved something else altogether: a way to steal valuable cars. It seems a gang of car thieves realized that customers of a restaurant with valet service were voluntarily handing the keys of their cars to the valets. So they paid the real valets at a fancy Boston restaurant to take a night off – and they paid them very well. Then the car thieves too the place of the real valets, and parked customer's cars for about an hour. Then they simply drove off with the eight most valuable customer's cars, using the keys that the customers handed them. At the time the news story I read was written, they had not been caught.
Often the social engineering approaches that succeed at hacking into things like those FBI records are just as plausible as that car example. Most of the time, if you poke into the details, you'll come away thinking “That could have happened to me!” It doesn't take particularly stupid or foolish people to be tricked...