New research indicates that the login credentials of government employees have been online for years.
Threat intelligence company Recorded Future just released a bombshell report indicating that these credentials are associated with 47 US government agencies. This data was discovered in plain sight, on what are called paste sites such as Pastebin.
A credential is generally an email address tied with a password. So, this discovery means that a government email and password unit were openly posted by potential hackers.
According to Recorded Future analyst Scott Donnelly, these findings are bad for a few reasons. For one, it means that government employees are using their work email address on insecure sites — leaving them wide open to hackers if any of those websites is compromised. Worse, many government agencies don’t employ proper login safeguards like two-step authentication, which can require employees to verify any new login attempts with the goal of preventing hacking attempts.
In fact, 12 of the 47 agencies tied to these credential dumps do not use two-step authentication standards, which has become a security must-do.
Coupling this with that fact that over 50% of all internet users reuse their passwords, it’s likely that government networks are hacked from these credentials. If one hacker finds one employee who reused their password, they could take over the account and use a variety of tactics to further infiltrate the entire network.
“All you need is a few [passwords] to work to be able to get it,” Donnelly told Business Insider.
While there’s no way to know if these leaked credentials are what led to the OPM hack, they do highlight that proper security protocol is not in place at many government agencies to prevent such things from happening.
The ultimate take-home from this report is that government agencies should begin safeguarding their networks. This, explained Donnelly, includes implementing two-step authentication, as well as using virtual private networks to ensure better security.