Credentials Revoked Before Firing? Twin Brothers Wipe 96 Government Databases

In a shocking breach of cybersecurity protocol, twin brothers allegedly hacked passwords and wiped 96 government databases within minutes of being fired from their IT positions. The incident, first reported on a firearms forum and later detailed by tech news outlet Ars Technica, has become a textbook example of why organizations must revoke credentials before terminating employees.

How the Twin Brothers Wiped 96 Government Databases

According to a post on CarolinaFirearmsForum, the twin brothers used their knowledge of internal systems to access and destroy sensitive government data almost immediately after receiving their termination notices. The forum thread, which aggregated reporting from multiple sources, described the brothers as having "hacked passwords" to bypass security measures that should have been deactivated.

Ars Technica, in its coverage titled "Drop database: What not to do after losing an IT job," framed the event as a cautionary tale. The publication noted that the brothers, who worked in the same IT department, retained their login credentials after being fired. Within minutes, they used those credentials to execute destructive commands across 96 databases, causing widespread data loss and operational chaos.

The Importance of Revoking Credentials Before Termination

Cybersecurity experts have long warned that failing to revoke access immediately upon termination is a critical vulnerability. In this case, the twin brothers exploited a systemic delay: their accounts were not disabled at the exact moment of firing. The result was a catastrophic data loss that could have been prevented with a simple, automated revocation process.

Why Immediate Credential Revocation Matters

When you fire someone, their access should die before they leave the room. This principle is at the heart of secure employee offboarding. The twin brothers' attack shows that a few minutes is all it takes to cause irreparable damage. Organizations must implement automated systems to revoke credentials before termination notices are delivered.

Common Mistakes in IT Termination Protocols

Many companies delay credential revocation due to bureaucratic processes or oversight. This incident highlights the need for real-time offboarding procedures. IT teams should have a checklist that includes immediate password resets, account disablement, and session termination.

Lessons Learned from the Database Wipe Incident

The incident also highlights the danger of shared or predictable passwords. The brothers allegedly knew each other's credentials and used that knowledge to escalate their attack. Internal investigations are ongoing, but early reports suggest the databases contained sensitive citizen records, financial data, and operational logs.

Strengthening Employee Offboarding Procedures

Government agencies are now scrambling to restore the lost data from backups. However, some databases may be permanently compromised, as backups were also targeted in the attack. The total cost of recovery is expected to run into millions of dollars. This case underscores a fundamental principle of cybersecurity: credentials must be revoked before firings, not after.

Preventing Future Data Breaches

To prevent similar attacks, organizations should adopt multi-factor authentication and audit logs to detect unauthorized access. Regular training on offboarding protocols can also help IT staff act swiftly. The twin brothers wiped 96 government databases in a matter of minutes, but the damage to public trust and institutional security will last far longer.

Organizations across all sectors are urged to review their offboarding procedures immediately. By revoking credentials before termination, you can avoid becoming the next cautionary tale in cybersecurity history.