The passwords of more than 3,000 UK civil servants have been found exposed on the dark web and other publicly available sources, according to research from NordPass.
195 exposed passwords identified by researchers belonged to staff at the Ministry of Justice, 111 from the Ministry of Defence, and 122 from the Department of Work and Pensions.
There were also large numbers of passwords from HM Revenue & Customs, the Home Office, as well as a number of councils including Aberdeen City Council, Lancashire County Council, Newham Council, and Southwark Council.
Notably, NordPass researchers identified 70 compromised passwords of UK Parliament employees.
“Exposure of sensitive data, including passwords, of civil servants is particularly dangerous,” said Karolis Arbačiauskas, head of product at NordPass.
"Compromised passwords can affect not only organizations and their employees but also large numbers of citizens. Moreover, such incidents may also pose serious risks to a country’s strategic interests."
Password security needs shaking up
Some of the passwords came up more than once, thanks to multiple incidents related to one email address, or because several people used the same password.
All told, NordPass said as many as 434 unique passwords were identified during its investigation.
The number of leaked passwords doesn't directly reflect the strength of an organization’s internal security practices, Arbačiauskas noted. For a start, larger organizations with more employees naturally have a bigger digital footprint, increasing the likelihood of credentials being exposed in a breach.
"In many cases, a single malware infection on an employee’s personal device or the compromise of a popular third-party website can expose dozens of accounts,” he said.
“Furthermore, the majority of leaks originate from external sites where employees registered using their work email addresses."
While some of the civil servants’ passwords found in publicly available sources are also weak, many officials were following best practices – long passwords with upper-case letters, numbers, and symbols.
“If these passwords were not changed after their appearance on the dark web and multi-factor authentication (MFA) is not enabled, attackers could potentially access the email accounts and other sensitive information of these civil servants," said Arbačiauskas.
"Moreover, we found hundreds of thousands of email addresses with other exposed data like names, last names, phone numbers, autofills, and cookies. This data can be exploited for phishing attacks and pose significant risks."
Password security is even worse abroad
The UK isn't the only country to see civil servants' passwords exposed. Analysis from the company identified a whopping 53,070 passwords belonging to various US federal agency employees.
1,897 of these were from the Department of Defense, 15,272 from the State Department, 1,706 from the US Army, and 1,331 from the Department of Veterans Affairs.
Meanwhile, 19,538 French public sector emails were exposed, with 13,613 from Italy.
NordPass recommends the use of strong passwords or passphrases, creating a unique password for each account, setting up a password policy and turning on multi-factor authentication (MFA).
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Passwords are a problem: Why device-bound passkeys can be the future of secure authentication
- How to create a secure password policy
- The NCSC wants you to start using password managers and passkeys
-
AI legal confidence: What is it and how do you get there?Supported AI is reshaping legal practice, but doing so successfully comes down to building trust and confidence...
-
Warning issued over critical flaws spotted in TP-Link routersNews Researchers have spotted a pair of flaws in TP-Link routers, including a variation of a previously patched vulnerability
-
Former NCSC head says the Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK' as impact laid bareNews Researchers said they place the UK financial impact of the attack on Jaguar Land Rover at around £1.9 billion.
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
Cyber experts have been warning about AI-powered DDoS attacks – now they’re becoming a realityNews DDoS attackers are flocking to AI tools and solutions to power increasingly devastating attacks
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
Europol takes down SIM farm network that scammed thousands of victimsNews The sophisticated operation led to crimes from simple phishing to investment fraud
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Hackers stole source code, bug details in disastrous F5 security incident – here’s everything we know and how to protect yourselfNews CISA has warned the F5 security incident presents a serious threat to federal networks
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
