Security company Recorded Future recently found stolen login credentials for 47 different U.S. government agencies across 89 different domains exposed online.
The credentials were uncovered by analyzing 17 paste sites, including Pastebin.com, between November 2013 and November 2014.
The Department of Energy was the most-exposed agency, with email and password combinations for nine different domains found online.
A February 2015 Office of Management and Budget (OMB) report [PDF] identified 12 agencies that don't require most privileged users to leverage two-factor authentication, all of which had login credentials discovered online by Recorded Future: General Services Administration, USAID, and the Departments of State, Veterans Affairs, Agriculture, Housing and Urban Development, Transportation, Treasury, Health and Human Services, Energy, Interior and Homeland Security.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce," the Recorded Future report states. "While some agencies employ VPNs, two-factor authentication, and other tokens to provide a safety net, many agencies lag behind as cited by the OMB report to Congress."
The large majority of the exposed passwords, according to Recorded Future, were weak and lacked complexity.
While some of the breaches were politically motivated, the report notes, many were simply targets of opportunity that happened to hold reused government login credentials, including a natural history museum and a sports news site.
In response, Recorded Future urges all government agencies to take the following precautions:
- Enable multi-factor authentication and/or VPNs
- Require government employees to use stronger passwords and change with greater regularity
- Gauge and define use of government email addresses on third party sites
- Maintain awareness of third party breaches and regularly assess exposure
- Ensure Robot Exclusion Standard (robots.txt) is set for government login pages to prevent listing of webmail/Web-services in search engines
"All it takes is one successful phishing email to compromise an organization, and while an email address is certainly not a secret, the wide distribution of employee email addresses certainly makes the criminals' jobs a little easier," Tripwire director of IT security and risk strategy Tim Erlin told eSecurity Planet by email.
"Reuse of passwords can be a huge problem for anyone, but for a government employee, the consequences might have national security implications," Erlin added. "All organizations should be employing strong authentication to mitigate this threat."