CIA and Google Ventures-backed private company Recorded Future says stolen government login credentials have been spotted all over the web, leading to the possible exposure of logins for 47 US government agencies spread across 89 unique domains.
Focusing its research solely on Pastebin.com and 16 other paste sites, where hacker groups have been known to dump such data, the company says agency exposure across the entire web could conceivably be much larger than its small sample suggests.
In Government Credentials on the Open Web, the company cites a February 2015 report from the Office of Management and Budget (OBM) to Congress that highlighted how 12 of those agencies allowed some level of access to their networks without the additional security afforded by two-factor authentication.
That’s particularly pertinent right now, given how analysis of the recent Office of Personnel Management (OPM) breach suggests that government employee data and social security numbers were left particularly vulnerable by a lack of two-factor authentication combined with a lack of encryption.
Recorded Future found login and password combinations (it didn’t test whether or not they were hashed and salted) for all of those 12 agencies on the open web but the worst offenders were the Department of Energy – for which nine email and password pairs were identified – and the Departments of Commerce and the Interior, both with seven different domains suffering similar exposure.
According to Wired, government email addresses and passwords had been scooped up from a wide variety of sites, including those used for placing hotel reviews, bikeshare programs and various other low-budget sites, where security was not likely to be sufficient to protect government employees who had signed up with their .gov accounts.
As a result, the report unsurprisingly said:
The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce.
Analyst Scott Donnelly pointed out how, if any of the federal employees had used their agency password along with their government email address – and we know that many people do reuse passwords across some or all of their online accounts – the result could be a fully exposed set of credentials allowing access to their agency’s network:
You only need one to work to begin a social engineering campaign. These are piles of credentials sitting out there on the open web.
And, even where government employees are not reusing passwords, there is still the risk that they are using weak ones that can be easily cracked.
If you are a US government worker (or anyone else) struggling to come up with a strong password, the following video can help: