Stolen email and passwords belonging to individuals from nearly 50 Government agencies have leaked online, according to a CIA backed startup out of Boston. According to a report from Recorded Future, login credentials from 47 agencies were found to have been leaked on upwards of 89 unique domains.
Compounding matters is that 12 of the affected agencies, including the Department of Energy, do not implement two-factor authentication. As a result, the report notes that “the presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce.”
CBS has since revealed that the 12 agencies who haven’t yet implemented two-factor authentication include “the General Services Administration, USAID, and the departments of State, Veterans Affairs, Agriculture, Housing and Urban Development, Transportation, Treasury, Health and Human Services, Energy, Interior and Homeland Security.”
In compiling their report, Recorded Future notes that they used proprietary technology to scan over 680,000 different websites across seven languages. The report details that most credentials were compromised when Federal workers logged into third-party websites using the same credentials used to log in at work.
The report reads in part:
In many cases, our research identified the immediate removal of the credentials by sites such as pastebin.com. However, to Recorded Future’s knowledge, no efforts are made to contact government agencies whose credentials may be posted on a paste site. Further, while the information may be removed from a paste site, it likely still circulates in private circles and is available to the original attackers.
What makes this report all the more worrisome is that it’s wholly unrelated to recent the hack on the Office of Personnel Management where hackers made off with the personal information of at least 4 million federal workers. The compromised data in that particular security breach included social security numbers, birth dates, addresses, job and pay history, health insurance information, and much more.