Politicians’ passwords sold online
BRITAIN: Passwords belonging to British cabinet ministers, ambassadors and senior police officers have been traded online by Russian hackers, an investigation by The Times has found.
Email addresses and passwords used by Justine Greening, the education secretary, and Greg Clark, the business secretary, are among the stolen credentials of tens of thousands of government officials that were sold or bartered on Russian-speaking hacking sites. They were later made freely available.
Two huge lists of stolen data reveal the private log-in details of 1000 British MPs and parliamentary staff, 7000 police employees and more than 1000 Foreign Office officials, an analysis shows including the department’s own head of IT.
The National Cyber Security Centre (NCSC), which was set up to protect Britain against cyberattacks, said it would reissue guidance to government departments after being presented with the findings.
The lists combine hacked data from websites including LinkedIn, the business networking service that was compromised in 2012, MySpace, the social media site, and dozens of smaller entities.
Security experts warned that hackers could use the data to penetrate government accounts, especially if officials had the same password across the internet. Victims could also be vulnerable to blackmail or impersonation if the passwords were used to obtain embarrassing information from personal email accounts or social media profiles.
One of the lists first appeared on a private, Russian-speaking hacking forum, suggesting that criminals within the country may have been involved in its creation.
Western governments have raised repeated concerns about Russian hacking, including alleged attempts to influence last year’s United States presidential election by penetrating Democratic Party computer systems.
Despite official guidance advising the use of strong passwords to guard against hacking, the leak shows that many would have been easy to guess.
One senior politician used the name of their home county followed by a number. Another used a relative’s surname.
Peter Jones, the Foreign Office’s chief operating officer, who has overall responsibility for IT, appears to have used a highly insecure password which occurred more than 3700 times in one of the lists.
The lists contain more than 7000 police passwords, including that of former Detective Chief Inspector Andy Redwood, who led the investigation into the disappearance of Madeleine McCann.
The three most common passwords associated with police email addresses in one of the lists were ‘‘police’’, ‘‘password’’ and ‘‘police1’’.
A number of victims of the hacking, including former Cabinet Office minister Brooks Newmark, reused insecure passwords on multiple websites.
Newmark, who served in David Cameron’s coalition government, confirmed that he simply added a number to the end of his existing password each time it needed changing. – The Times