Explicit AI links planted on WA government sites as multi-state hack hits 36 governments

Explicit AI links discovered on WA.gov sites amid multi-state hack

Several Washington government websites briefly displayed links to explicit AI apps and content after a multi-state web compromise. Affected sites included the Washington Department of Fish and Wildlife (WDFW), the Washington State Department of Veterans Affairs, and the Washington Fire Commissioners Association. All used wa.gov domains.

The injected links promoted AI sex apps, AI-generated nude images, and explicit AI chatbots. WDFW said it is working with WaTech to address the issue. Veterans Affairs reported the links were removed.

What we know so far

Officials have not confirmed the exact entry point. On the Veterans Affairs site, users could upload details to a group calendar; that feature was disabled after the breach. "The 10 IP addresses that were used to upload this inappropriate content have also been blocked," said Heidi Audette, communications and legislative director for the department.

The incident is part of a broader pattern. Similar AI-related content appeared on the Kansas Attorney General's website late last month, and AI-fabricated nude images were visible on Nevada's Department of Transportation website. Experts estimate roughly 36 governments across about 18 states were affected.

Probable vectors (not yet confirmed)

• User-generated content modules with weak moderation or upload controls.
• Outdated CMS plugins, themes, or extensions with known vulnerabilities.
• Insufficient input validation or sanitization on forms, calendars, or comment fields.
• SEO spam injection using compromised admin credentials or exposed APIs.

Immediate actions for government web teams

• Remove or unpublish compromised pages. Purge CDN and platform caches.
• Temporarily disable public uploads, comments, and calendar submissions. Require sign-in for any remaining submissions.
• Block offending IPs and user agents. Enable rate limiting and bot protection.
• Review access logs for unusual POST requests, new admin accounts, and plugin changes.
• Rotate CMS, SSO, and hosting credentials. Enforce MFA for all admins.
• Patch CMS core, plugins, and server components immediately. Remove unused extensions.
• Set urgent WAF rules to block common injection patterns and URL parameters used in the incident.
• Verify DNS, domain records, and redirects. Check Google Search Console for indexed spam URLs and request reindexing after cleanup.
• Post a brief notice acknowledging the issue once verified clean. Avoid repeating explicit keywords in public statements.

Hardening over the next 30 days

• Lock down upload endpoints: authentication, file type allowlists, size limits, and server-side malware scanning.
• Require pre-moderation for any public submissions. Log every submission with IP, timestamp, and user ID.
• Implement headers and controls: Content Security Policy, X-Content-Type-Options, Referrer-Policy, and strict cookie settings.
• Sanitize inputs and strip HTML where not required. Use parameterized queries everywhere.
• Add CAPTCHA and per-IP throttling to forms. Apply least-privilege roles in CMS and hosting.
• Set a monthly patch cadence with dependency monitoring. Track CVEs for all plugins and themes.
• Enable file integrity monitoring and alerting for unexpected changes to templates and uploads.
• Test backups and restore procedures. Run an incident response tabletop with comms, IT, and leadership.

Who to loop in

• State IT leadership and your enterprise security team (e.g., WaTech for Washington agencies).
• MS-ISAC for coordinated incident reporting and guidance.
• Hosting providers and CMS vendors for logs, patches, and recovery support.
• Public information officers for unified messaging and media response.
• Law enforcement if you find criminal activity or widespread compromise.

Why this matters

Defacements and link injections erode public trust, trigger reputational risk, and can mislead residents. They also pollute search results and may expose visitors to harmful sites. Fast containment and clear communication keep services credible and reduce downstream costs.

Team readiness

If your agency is rolling out AI policies or training, make sure staff know how to evaluate AI tools, spot malicious prompts, and handle public submissions. For structured programs, see AI course options for public-sector teams at Complete AI Training.

This is a developing situation. We will update as agencies share verified details and remediation timelines.