Report: US government login credentials leaked online

Chuck Bednar for – @BednarChuck

Nearly four-dozen US government agencies have had their login credentials stolen and posted online, Cambridge, Massachusetts-based Internet technology and web intelligence firm Recorded Future revealed in a new report released earlier this week.

According to BBC News, passwords from up to 47 different federal groups were found on public websites such as Pastebin, and while it was impossible to say for sure, some of them could be active. Recorded Future believes that the passwords were stolen after government workers used their official emails to log into third-party websites infected with malware.

The company reportedly scanned more than 680,000 online sources over a 12-month period and found 705 emails and passwords originating from the Departments of Defense, Justice and Energy, the Treasury, the CIA, and the National Intelligence director.

Passwords may not be active, could have been encrypted

In a Wednesday blog post, Recorded Future officials explained that the possible exposures were found across 89 unique domains and involved a total of 12 agencies, including some that allowed employees to access computer networks with no form of two-factor authentication.

Two-factor authentication, the BBC explained, requires computer users to have a pair of separate components to their logins, and limits remote access to systems to virtual private networks. This technique is based on the theory that unauthorized users are unlikely to be able to supply both of the factors required to gain access to an account.

The company added that “the presence of these credentials on the open Web” leaves the agencies “vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce.” The findings were made using their Web Intelligence Engine, which they claim helps analysts search and monitor open source data to find patterns.

Recorded Future told Wired that it doesn’t know just how many of the leaked credentials are actually working passwords belonging to government employees, but representatives noted that studies have shown that nearly half of all Internet users recycle their passwords. They also said that most of the passwords appeared to be strong, and may have been encrypted with hashtag functions that makes them unreadable to unauthorized third parties.


Follow redOrbit on Twitter, Facebook, Google+, Instagram and Pinterest.