Thousands of civil servant passwords leaked online as experts warn of ‘serious risk’

More than 3,000 passwords belonging to civil servants have been exposed online since the beginning of 2024, according to new research, and experts have warned it could pose a “serious risk” to national security.

A report by NordPass, which uses threat exposure management platform NordStellar, found that 3,014 passwords belonging to British civil servants were leaked on the deep web, which covers parts of the internet not generally indexed by search engines, and the dark web, a small, encrypted part of the deep web that requires special software to access and is often associated with cybercrime.

The report names four local authorities whose passwords were exposed online: A total of 538 passwords from Aberdeen City Council, 38 passwords from Lancashire County Council, 73 passwords from Newham Council and 42 passwords from Southwark Council were leaked onto the dark and deep web.

comes later Independent Last year it was revealed that hundreds of passwords and email addresses linked to UK government agencies had been published on the dark web, highlighting a major threat to the UK’s cyber and national security. The government departments most affected include the Ministry of Justice, with 195 passwords, the Ministry of Defense (111) and the Department for Work and Pensions (122).

Sensitive data exposed by public officials is particularly dangerous as it could pose serious risks to the UK’s strategic interests, a cybersecurity expert has warned.

Karolis Arbačiauskas, Head of Product at NordPass, said: “The disclosure of sensitive data of civil servants, including their passwords, is particularly dangerous. Hacked passwords can affect not only organizations and their employees, but also large numbers of citizens. Moreover, such incidents can also pose serious risks to a country’s strategic interests.”

The report added that the number of leaked passwords does not necessarily reflect the strength of an organization’s internal security, although “the vast majority of exposed passwords are passwords of employees working at regional-level institutions.”

“These figures are often influenced by external factors,” said Mr. Arbačiauskas. “Larger organizations with more employees naturally have a larger digital footprint, which statistically increases the likelihood of credentials being exposed in a breach. In many cases, a single malware infection of an employee’s personal device or a takeover of a popular third-party website can lead to dozens of accounts being exposed. Additionally, most leaks come from external sites where employees sign up using their work email addresses.” is due to.”

He encouraged the practice of creating an organization-wide password policy, never reusing passwords, and using multi-factor authentication.

“If these passwords are not changed after they appear on the dark web and multi-factor authentication (MFA) is not enabled, attackers could potentially gain access to these officers’ email accounts and other sensitive information,” he said. “We also found hundreds of thousands of email addresses where other information such as first names, last names, phone numbers, autofills and cookies were exposed. This data can be used for phishing attacks and pose significant risks.”

A “significant threat” from Chinese and Russian hackers is contributing to a record number of serious online attacks, the National Cyber ​​Security Center (NCSC) said on Tuesday. A number of UK businesses including M&S, Jaguar Land Rover and the Co-op have suffered cyber attacks this year, disrupting their operations and costing companies billions of dollars.

In the year to the end of August, NCSC provided support in 429 cases; of these, 204 were considered “nationally significant events”; This was an increase from 89 cases in the previous 12 months. Of these, 18 were classified as “extremely important”; This means they have serious impacts on the government, essential services, the economy or large parts of the UK population.

A spokesperson for Newham Council said: “It is an unfortunate fact that organizations such as Newham Council will always be targets for criminals. Newham Council takes cyber security extremely seriously and has a robust range of measures in place to reduce risk. We provide regular training and guidance to our employees, making them aware of the risks and effective technical controls to reduce specific cyber risks. We do not comment on the specific details of our cyber security controls and policies.”

An Aberdeen City Council spokesperson said: “Aberdeen City Council regularly reviews lists of compromised credentials through the National Cyber ​​Security Center and other official sources. These email/password combinations are often used to sign up to external sites or services rather than compromise the council’s tenant. Regardless of this, all affected account holders are contacted and their passwords reset as a matter of course.”

Independent It approached Lancashire County Council and Southwark Council for comment.