Thousands of exposed civil servant passwords are up for grabs online

While the password security failures are concerning, they pale in comparison to other nations

Emma Woollacott's avatar
By
published
in News
Cyber crime concept image showing hacker typing on keyboard in dimly-lit room with tablet pictured on desk.
(Image credit: Getty Images)

The passwords of more than 3,000 UK civil servants have been found exposed on the dark web and other publicly available sources, according to research from NordPass.

195 exposed passwords identified by researchers belonged to staff at the Ministry of Justice, 111 from the Ministry of Defence, and 122 from the Department of Work and Pensions.

There were also large numbers of passwords from HM Revenue & Customs, the Home Office, as well as a number of councils including Aberdeen City Council, Lancashire County Council, Newham Council, and Southwark Council.

Notably, NordPass researchers identified 70 compromised passwords of UK Parliament employees.

“Exposure of sensitive data, including passwords, of civil servants is particularly dangerous,” said Karolis Arbačiauskas, head of product at NordPass.

"Compromised passwords can affect not only organizations and their employees but also large numbers of citizens. Moreover, such incidents may also pose serious risks to a country’s strategic interests."

Password security needs shaking up

Some of the passwords came up more than once, thanks to multiple incidents related to one email address, or because several people used the same password.

All told, NordPass said as many as 434 unique passwords were identified during its investigation.

The number of leaked passwords doesn't directly reflect the strength of an organization’s internal security practices, Arbačiauskas noted. For a start, larger organizations with more employees naturally have a bigger digital footprint, increasing the likelihood of credentials being exposed in a breach.

"In many cases, a single malware infection on an employee’s personal device or the compromise of a popular third-party website can expose dozens of accounts,” he said.

“Furthermore, the majority of leaks originate from external sites where employees registered using their work email addresses."

While some of the civil servants’ passwords found in publicly available sources are also weak, many officials were following best practices – long passwords with upper-case letters, numbers, and symbols.

“If these passwords were not changed after their appearance on the dark web and multi-factor authentication (MFA) is not enabled, attackers could potentially access the email accounts and other sensitive information of these civil servants," said Arbačiauskas.

"Moreover, we found hundreds of thousands of email addresses with other exposed data like names, last names, phone numbers, autofills, and cookies. This data can be exploited for phishing attacks and pose significant risks."

Password security is even worse abroad

The UK isn't the only country to see civil servants' passwords exposed. Analysis from the company identified a whopping 53,070 passwords belonging to various US federal agency employees.

1,897 of these were from the Department of Defense, 15,272 from the State Department, 1,706 from the US Army, and 1,331 from the Department of Veterans Affairs.

Meanwhile, 19,538 French public sector emails were exposed, with 13,613 from Italy.

NordPass recommends the use of strong passwords or passphrases, creating a unique password for each account, setting up a password policy and turning on multi-factor authentication (MFA).

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸