The passwords of more than 3,000 UK civil servants have been found exposed on the dark web and other publicly available sources, according to research from NordPass.
195 exposed passwords identified by researchers belonged to staff at the Ministry of Justice, 111 from the Ministry of Defence, and 122 from the Department of Work and Pensions.
There were also large numbers of passwords from HM Revenue & Customs, the Home Office, as well as a number of councils including Aberdeen City Council, Lancashire County Council, Newham Council, and Southwark Council.
Notably, NordPass researchers identified 70 compromised passwords of UK Parliament employees.
“Exposure of sensitive data, including passwords, of civil servants is particularly dangerous,” said Karolis Arbačiauskas, head of product at NordPass.
"Compromised passwords can affect not only organizations and their employees but also large numbers of citizens. Moreover, such incidents may also pose serious risks to a country’s strategic interests."
Password security needs shaking up
Some of the passwords came up more than once, thanks to multiple incidents related to one email address, or because several people used the same password.
All told, NordPass said as many as 434 unique passwords were identified during its investigation.
The number of leaked passwords doesn't directly reflect the strength of an organization’s internal security practices, Arbačiauskas noted. For a start, larger organizations with more employees naturally have a bigger digital footprint, increasing the likelihood of credentials being exposed in a breach.
"In many cases, a single malware infection on an employee’s personal device or the compromise of a popular third-party website can expose dozens of accounts,” he said.
“Furthermore, the majority of leaks originate from external sites where employees registered using their work email addresses."
While some of the civil servants’ passwords found in publicly available sources are also weak, many officials were following best practices – long passwords with upper-case letters, numbers, and symbols.
“If these passwords were not changed after their appearance on the dark web and multi-factor authentication (MFA) is not enabled, attackers could potentially access the email accounts and other sensitive information of these civil servants," said Arbačiauskas.
"Moreover, we found hundreds of thousands of email addresses with other exposed data like names, last names, phone numbers, autofills, and cookies. This data can be exploited for phishing attacks and pose significant risks."
Password security is even worse abroad
The UK isn't the only country to see civil servants' passwords exposed. Analysis from the company identified a whopping 53,070 passwords belonging to various US federal agency employees.
1,897 of these were from the Department of Defense, 15,272 from the State Department, 1,706 from the US Army, and 1,331 from the Department of Veterans Affairs.
Meanwhile, 19,538 French public sector emails were exposed, with 13,613 from Italy.
NordPass recommends the use of strong passwords or passphrases, creating a unique password for each account, setting up a password policy and turning on multi-factor authentication (MFA).
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Passwords are a problem: Why device-bound passkeys can be the future of secure authentication
- How to create a secure password policy
- The NCSC wants you to start using password managers and passkeys
-
What is a tensor processing unit (TPU)?Explainer Google's in-house AI chips are the most notable alternative to Nvidia at the enterprise scale
-
Cyber Security and Resilience Bill: Security experts question practicality, scope of new legislationNews The new legislation aims to shore up critical infrastructure defenses, but questions remain over compliance and scope
-
Laid off Intel engineer accused of stealing 18,000 files on the way outNews Intel wants the files back, so it's filed a lawsuit claiming $250,000 in damages
-
GitHub is awash with leaked AI company secrets – API keys, tokens, and credentials were all found out in the openNews Wiz research suggests AI leaders need to clean up their act when it comes to secrets leaking
-
When cyber professionals go rogue: A former ‘ransomware negotiator’ has been charged amid claims they attacked and extorted businessesNews The attackers are alleged to have demanded ransoms of up to $10 million
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
US telco confirms hackers breached systems in stealthy state-backed cyber campaign – and remained undetected for nearly a yearNews The hackers remained undetected in the Ribbon Communications’ systems for months
-
Google says reports of a 'huge' Gmail breach affecting millions of users are false, againNews Reports of a major Gmail affecting millions of users have been flooding the web this week – Google says they're "false" and you've nothing to worry about.
-
Enterprises can’t keep a lid on surging cyber incident costsNews With increasing threats and continuing skills shortages, AI tools are becoming a necessity for some
-
Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browserNews Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
