The passwords of more than 3,000 UK civil servants have been found exposed on the dark web and other publicly available sources, according to research from NordPass.
195 exposed passwords identified by researchers belonged to staff at the Ministry of Justice, 111 from the Ministry of Defence, and 122 from the Department of Work and Pensions.
There were also large numbers of passwords from HM Revenue & Customs, the Home Office, as well as a number of councils including Aberdeen City Council, Lancashire County Council, Newham Council, and Southwark Council.
Notably, NordPass researchers identified 70 compromised passwords of UK Parliament employees.
“Exposure of sensitive data, including passwords, of civil servants is particularly dangerous,” said Karolis Arbačiauskas, head of product at NordPass.
"Compromised passwords can affect not only organizations and their employees but also large numbers of citizens. Moreover, such incidents may also pose serious risks to a country’s strategic interests."
Password security needs shaking up
Some of the passwords came up more than once, thanks to multiple incidents related to one email address, or because several people used the same password.
All told, NordPass said as many as 434 unique passwords were identified during its investigation.
The number of leaked passwords doesn't directly reflect the strength of an organization’s internal security practices, Arbačiauskas noted. For a start, larger organizations with more employees naturally have a bigger digital footprint, increasing the likelihood of credentials being exposed in a breach.
"In many cases, a single malware infection on an employee’s personal device or the compromise of a popular third-party website can expose dozens of accounts,” he said.
“Furthermore, the majority of leaks originate from external sites where employees registered using their work email addresses."
While some of the civil servants’ passwords found in publicly available sources are also weak, many officials were following best practices – long passwords with upper-case letters, numbers, and symbols.
“If these passwords were not changed after their appearance on the dark web and multi-factor authentication (MFA) is not enabled, attackers could potentially access the email accounts and other sensitive information of these civil servants," said Arbačiauskas.
"Moreover, we found hundreds of thousands of email addresses with other exposed data like names, last names, phone numbers, autofills, and cookies. This data can be exploited for phishing attacks and pose significant risks."
Password security is even worse abroad
The UK isn't the only country to see civil servants' passwords exposed. Analysis from the company identified a whopping 53,070 passwords belonging to various US federal agency employees.
1,897 of these were from the Department of Defense, 15,272 from the State Department, 1,706 from the US Army, and 1,331 from the Department of Veterans Affairs.
Meanwhile, 19,538 French public sector emails were exposed, with 13,613 from Italy.
NordPass recommends the use of strong passwords or passphrases, creating a unique password for each account, setting up a password policy and turning on multi-factor authentication (MFA).
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Passwords are a problem: Why device-bound passkeys can be the future of secure authentication
- How to create a secure password policy
- The NCSC wants you to start using password managers and passkeys
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
