Revealed: Hundreds of passwords linked to government departments leaked on dark web
Hundreds of passwords linked to government agencies were leaked to the dark web.Independent can reveal.
A report exclusively reviewed by this publication reveals more than 700 email addresses and corresponding passwords from nine government domains leaked to the internet Last year, this fueled fears that sensitive taxpayer data or “critical systems” such as power grids could be targeted by hackers.
There were also nine attempts to sell classified documents relating to the UK military and NATO to “bad actors”; Experts warn that this could “directly harm national security.”
NordStellar, a threat exposure management platform that monitors the dark web, says in its report that there are “dangerous vulnerabilities” in the UK government’s cybersecurity strategy, making it a “prime target for cybercriminals” and increasing the risk of sensitive information reaching the dark web.
A cybersecurity expert has warned that the worst kind of government data breach on the dark web could look something like “Afghan lists on steroids”; This is a reference to the disastrous Ministry of Defense data breach, in which the details of thousands of people applying for a UK relocation scheme were leaked online, putting lives at risk.
Among government departments, the most targeted was the Ministry of Justice, where 195 passwords were leaked to the dark web last year. This was followed by the Ministry of Work and Pensions with 122 passwords and the Ministry of Defense with 111 passwords.
Login information for the Home Office, Foreign Office, Commonwealth and Development Office, Department for Transport, UK Parliament, Department of Health and Social Care and HM Revenue and Customs were also leaked last year.
NordStellar’s head of product, Dokuris Noreika, said it was unclear whether the leaked details could be used to access sensitive resources. But he warned urgent action was needed to address cyber security vulnerabilities, adding that there was a “growing danger” of major data leaks.
Leaked passwords could allow hackers to access critical systems such as police, he added. records, databases containing sensitive data of UK citizens or infrastructure networks such as electricity grids or water supplies.
Referring to the Afghan data breach, cybersecurity expert at the Royal United Services Institute (RUSI), Dr. Gareth Mott said: Independent: “If data was leaked of such a sensitive nature that it endangered the national security of the United Kingdom, I do not wish to speculate, but it is clear that this could affect us.
“The consequences of this exposure could be significant, whether it be a shift in political discourse or a breakdown in trust between the public and the government. Depending on the nature of the data and how it is leaked, its secondary effects could be quite significant from an economic or social perspective.”
He continued: “The hope is that these are old passwords from old accounts that are no longer active, that these individuals have moved on to other roles where they don’t use the same passwords… But it’s a pretty big hope.
“All it takes is for an account to still be active, and that is a potential first attack vector for an external actor because they are motivated and know what they are doing.”
This cybersecurity vulnerability comes at a time when a number of government agencies and businesses are falling victim to cyber attacks, the UK’s data watchdog says Independent “calls on the government to go further and faster to raise standards”.
The National Cyber Security Center on Tuesday said the “significant threat” posed by Chinese and Russian hackers was contributing to a record number of serious online attacks.
The Legal Aid Agency suffered a cyber attack in April. A group is believed to have accessed and downloaded significant amounts of personal data of legal aid applicants through the organisation’s digital service from 2007 to May 2025. No arrests were made, but the ShinyHunters cybercrime group reportedly claimed responsibility for the attack on Telegram.
In June, HMRC revealed fraudsters stole £47 million from the online accounts of 100,000 people after posing as taxpayers in a phishing attack. 13 people were arrested as part of the investigation in Romania. A fourteenth man was arrested in Preston.
More recently, two men, aged 17 and 22, were arrested by the Metropolitan Police after the Kido nursery chain suffered a cyberattack; Thousands of children’s private data, including their names, pictures and addresses, is believed to have been leaked onto the dark web.
Meanwhile, a man in his forties has been arrested over an alleged cyberattack that caused disruption at Heathrow, among other European airports, last month.
Jaguar Land Rover, M&S, Harrods and Co-op are among the businesses that have been subject to cyber attacks this year. Dark web-based ransomware groups Scattered Spider and DragonForce claimed joint responsibility for the M&S attack, while DragonForce said they were behind the Co-op attack. HELLCAT ransomware group claimed responsibility for Jaguar Land Rover.
The National Crime Agency said four people were arrested in England as part of its investigation into the M&S, Co-op and Harrods incidents.
The cyber threat to the UK government is “serious and rapidly evolving”, the National Audit Office warned in a report published in January. The NAO expressed particular concern about the government’s new cyber assurance programme, GovAssure, after finding “significant gaps in cyber resilience, with multiple key systems controls at low maturity levels across departments”.
“The risk of cyber-attacks is serious and attacks on essential public services are likely to occur regularly, but the government’s work to address this issue has been slow,” NAO chief executive Gareth Davies said at the time. “To prevent serious incidents, build resilience, and protect the payoff of its operations, the government needs to capture the acute cyber threat it faces.”
A spokesman for the Information Commissioner’s Office said: “Cyber attacks are increasing across all sectors, with government and the public sector seen as a valuable target. “People often do not have the option of sharing their personal information with these agencies, so organizations need to have confidence that they are doing everything they can to protect their data and prevent incidents before they happen.
“We expect all organizations to have robust security measures in place to protect credentials, such as strong passwords and multi-factor authentication and appropriate vulnerability management. Government departments and agencies must maintain the highest security standards.”
A spokesperson for the Department of Science, Innovation and Technology said: “We have strong defenses in place to protect government systems from cybercriminals and we are going further. This includes launching a new cyber resilience model for government, providing greater support to ministries and strengthening our response to rapidly evolving cyber incidents.”
“We are also responding to the increasing threats facing our country through the Cybersecurity and Resilience Act, which will take effect later this year to protect essential services such as energy and water resources and the critical national infrastructure the public relies on.”
A spokesperson for the UK Parliament said: “Parliament takes cybersecurity extremely seriously. Working closely with our partners at the National Cyber Security Centre, we have strong measures in place, including providing advice to ensure users are aware of the risks and how to manage their digital security. We do not comment on the specific details of our cybersecurity controls and policies.”
