https://proton.me/blog/politicians-exposed-dark-web ProtonProton * Products [mail_xxy4b] ProtonMail Encrypted email that's private by default. [calendar_y] ProtonCalendar Your calendar is a record of your life. Keep it safe. [drive_wo2n] ProtonDrive Secure cloud storage that gives you control of your data. [vpn_f9embt] ProtonVPN Your gateway to online freedom. (new window) [pass_wl1fk] ProtonPass An encrypted password manager that protects your online identity. Proton for Business Improve the security of your business and comply with data protection laws. * Who we are About us Proton stands for privacy. Always has, always will. Team Meet the people building a better internet. Impact Defending freedom through tech is why we exist. CareersWe're hiring Seeking talented people to take Proton to the next level. We've always been guided by the Proton community. Community Join the fight to make the internet a better place. Open source Everyone is welcome to inspect our code. We're open. * Resources & Support Get started ----------------------------------------------------------------- Switch to Proton Move to Proton in just a few clicks with Easy Switch. Resources ----------------------------------------------------------------- Blog Latest news on privacy and the internet. News Proton announcements, audits, and releases. Help and support Guides and customer support for Proton products. Password generator Create strong, random passwords. Download the apps ----------------------------------------------------------------- Proton Mail Proton Calendar Proton Drive Proton VPN (new window) Proton Pass * For Business Blog Sign inCreate a free account Open menu [proton-blo] * Proton news * Privacy news * Privacy basics * Privacy deep dives * Opinion * For business Subscribe by RSS Search for blog posts Create a free account [politician] * Privacy news Cyber house of cards - Politicians' personal details exposed online [Richie_Koc] Richie Koch Share this page * [x-widestro](new window) * [reddit-gra](new window) * [facebook-g](new window) * [linkedin-g](new window) * Published on May 30, 2024 The email addresses and other sensitive information of 918 British MPs, members of the European Parliament, and French deputies and senators have been leaked to dark web marketplaces where data is illegally bought and sold. As part of our investigation with Constella Intelligence(new window), we searched the dark web for 2,280 official government email addresses from the British Parliament, European Parliament, and French Parliament. We found that around 40% had been exposed, along with passwords, birth dates, and more. British MPs fared the worst, with over two-thirds (68%) of checked email addresses appearing on the dark web, followed by nearly half (44%) of EU MEPs. French deputies and senators had the best security, with only 18% of searched emails appearing in hacker exchanges. [politicians-credentials-leaks-blog-diag-overall2x] The fact that these emails, which are publicly available on government websites, are on the dark web isn't a security failure by itself. Nor is it evidence of a hack of the British, European, or French parliaments. Instead, it shows that politicians used their official email addresses to set up accounts on third-party websites (which were later hacked or suffered a breach), putting themselves and the information they're entrusted to keep safe needlessly at risk. Even more concerning is that these email addresses were matched with 697 passwords in plain text. (Proton informed every affected politician that they had sensitive data exposed on the internet before publishing this article). If a politician reused one of these exposed passwords to protect their official email account, it could also be at risk. We've seen the havoc that a single compromised email account can wreak. During the 2016 US presidential election, Hillary Clinton's chief of staff famously fell for a phishing attack(new window) and had his emails exposed, revealing embarrassing messages(new window) and providing fodder for all manner of speculation(new window). Imagine the chaos attackers could create if they were able to gain access to a fraction of these politicians' official email accounts. Many of these MPs, MEPs, deputies, and senators are in senior positions, including heads of committees, government ministers, and senior opposition leaders, and have access to highly sensitive information. Even worse, several of them are currently serving or have formerly served on committees charged with overseeing and enforcing national (and international) digital strategies. While we aren't publishing any identifiable data to avoid putting individuals at risk, we can reveal that our investigation showed elected politicians regularly used their official emails to sign up for services like LinkedIn, Adobe, Dropbox, Dailymotion, petition websites, news services, and even, in a small number of cases, dating websites. Below, we share the full results of our investigation, what this lax attitude toward cybersecurity could lead to, and what politicians (and everyone else) can do to improve their online security. Politicians' exposed data In our investigation, we unfortunately found all kinds of sensitive information linked to politicians' emails, including their date of birth, the address of their residences, and social media accounts. Taken together, this information gives attackers plenty of details to make convincing phishing attacks. Number of Number of Number of Number of email breached passwords passwords addresses email exposed in exposed in searched addresses plaintext plaintext EU 705 309 161 27 Parliament British 650 443 216 30 Parliament French 925 166 320 137 Parliament [politicians-credentials-leaks-blog-diag-fr2x-1] French politicians outperform other elected officials As previously mentioned, only 18% of the French politicians' emails we searched for appeared in dark web exchanges. However, these breaches aren't evenly distributed. In the French Senate, 115 of the 348 (33%) senators' emails we searched for were exposed, compared to only 51 out of 577 (roughly 9%) for deputies in the National Assembly. If a French politician was breached, their information appeared in an average of 7.8 breaches. If this number seems high, it's undoubtedly because France is home to the single politician who suffered the most breaches of their email address (137) and had the most passwords exposed in plaintext (133). France is also home to an example of the worst-case scenario actually happening. In November 2023, journalists discovered that an attacker stole the username and password to a member of Parliament's email address and sold access to their official inbox on the dark web(new window). Perhaps the most surprising aspect of this story is that the asking price was only $150 (EUR138). Just over a month before the Paris Olympics begin, these results highlight concerns around politicians' cybersecurity practices, where just one breach could be a serious national security threat. [politicians-credentials-leaks-blog-diag-uk2x-3] Most British politicians have been breached According to our findings, British MPs are fortunate not to have suffered a major scandal involving account takeovers, as 68% of searched email addresses were found on the dark web, including senior figures both in the government and the opposition. MPs' email addresses were exposed a total of 2,110 times on the dark web, with the most frequently targeted MP experiencing up to 30 breaches. They also showed up repeatedly, with the average breached MP having their details show up in 4.7 breaches. The UK has repeatedly been targeted by state-backed cyberattacks, including from Russia. In December 2023, the UK government accused Russia(new window) of a "years-long cyberattack" on British academics, politicians, and policymakers. It claimed Russia's FSB was attempting to phish these individuals to spy on their private emails. With the upcoming general election taking place in the UK, it's vital that new MPs take their personal -- and national -- cybersecurity seriously and adhere to strict security processes and protocols for official accounts. [politicians-credentials-leaks-blog-diag-eu2x-1] The EU is also a target While members of the European Parliament suffered fewer breaches than their British peers, nearly half of the emails we searched for appeared on the dark web. Of the 309 MEPs exposed, 92 were caught up in 10 or more leaks. Politicians in Brussels had their email addresses exposed 2,311 times, along with 161 passwords in plaintext. This is a red alert, as the European Parliament has increasingly become a target of sophisticated attacks and has admitted it's not prepared. When Politico(new window) asked about the security of the European Parliament and upcoming elections, an anonymous staffer (who wished to remain nameless due to the sensitivity of the issue) said, "We're standing with our bare bottoms out and if anyone wants to hack us, like any Chinese threat actor or any state actor, they can". The threats are real. In February, two members and a staffer of the European Parliament's security and defense subcommittee found spyware on their smartphones(new window). And in March, it was revealed that APT31 (also known as Judgment Panda), a hacking group with ties to Chinese intelligence agencies, was the likely suspect behind an attempted hack of every European Union member(new window) of the Inter-Parliamentary Alliance on China, a coalition of lawmakers critical of the Chinese government. Cybersecurity is national security In our investigation, the affected politicians generally had their details leaked by service providers, like LinkedIn or Adobe. Even if a hostile takeover of one of these accounts won't grant an attacker (or foreign government) access to state secrets, it could reveal that politician's private communications or other sensitive data. Attackers could then use this information to phish or blackmail the politicians. And this is the best possible scenario. If a breached politician reused a password that was exposed on the dark web on one of their official accounts (and failed to use two-factor authentication), it could let attackers into government systems. Sadly, it only takes one error to put your online information at risk. And for a government, it only takes one set of hacked or leaked login credentials to expose classified secrets. Simple steps can make us all more secure The internet creates an almost impossible conundrum: It's almost impossible to go through your day-to-day life without being online, but maintaining your security online is just as difficult. And politicians are just humans like the rest of us. They make mistakes too. And sometimes, even if you do everything right, your information can still end up in hacker databases. Large companies clearly also deserve a large portion of the blame. As the endless(new window) onslaught(new window) of data(new window) breaches(new window) demonstrates(new window), they must take better care of the account information they collect. However, government officials, especially lawmakers with access to sensitive government information, must have a more robust threat model than the average person. This applies to any public figure -- whether an academic, journalist, business executive, etc. To begin with, no one should use their professional email to create online accounts, especially government officials who have access to secret information. Your email address is your online identity, something that allows Big Tech, advertisers, and sometimes even malicious attackers to follow you around the internet. Using your official government email address for accounts is like shouting, "I am a valuable target", every time you walk into a room. Here are some simple steps that everyone, but especially politicians and anyone else under public scrutiny, should adopt if they're serious about increasing their account security: * Use email aliases - Email aliases obscure who an account belongs to (at least if the alias is exposed in a breach). You can also easily delete an alias that has clearly been leaked or fallen into the wrong hands without affecting your real email address or other aliases. * Use a password manager - A password manager may not prevent services from leaking passwords in plaintext, but it can ensure that each of your accounts is protected with a strong, random, unique password. A good password manager should also make sharing and managing passwords easy, making it less likely you'll expose a password by writing it down. * Use dark web monitoring services - You can do everything correctly and still have your information exposed online by a careless company's data breach. But if you have dark web monitoring, you'll be informed the moment your information is detected, letting you change your email address (or, ideally, your email alias) and password before attackers can use it. Proton Pass can solve all of these problems. If you choose our Proton Pass Plus plan, you get: * Unlimited hide-my-email aliases * A password generator * Support for passkeys * A built-in two-factor authentication code generator * Pass Monitor, which alerts you if your Proton Mail email addresses or aliases appear on the dark web * Proton Sentinel, which defends your Proton Account against takeover attacks Take control of your account security (and, if you're a parliamentarian, help avert a national scandal) by signing up for a Proton Pass Plus plan today. Get Proton Pass Plus Protect your privacy with Proton Create a free account Share this page * [x-widestro](new window) * [reddit-gra](new window) * [facebook-g](new window) * [linkedin-g](new window) * [Richie_Koc] Richie Koch Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom. Related articles [blog-email] * Privacy basics What is an email thread and when should you use one? Email threads are so ubiquitous you might not realize what they are. An email thread is basically a series of related emails grouped together. This article will tell you everything you need to know about what exactly an email thread is and when you [how-to-pre] * Privacy basics How to prevent identity theft Identity theft is a major sector of criminal activity. About 24 million people fell victim in the United States alone in 2021, costing them over $16 billion. Credit card fraud is the most common type, but criminals target all kinds of personal data. [degoogle-b] * Privacy basics How (and why) to de-Google your life and protect your privacy Google is one of the biggest obstacles to privacy. The Big Tech giant may offer quick access to information online, but it also controls vast amounts of your personal or business data. Recently, more people are becoming aware of the actual price you What to do if someone steals your Social Security number * Privacy basics What to do if someone has your Social Security number If you're a United States citizen or permanent resident, you have a Social Security number (SSN). This number is the linchpin of much of your existence, linked to everything from your tax records to your credit cards. Theft is a massive problem, whic compromised passwords * Privacy basics How do passwords become compromised? Compromised passwords are a common issue and probably one of the biggest cybersecurity threats for regular people. How do passwords get compromised, and is there anything you can do to prevent it? * What does compromised password mean? * How do pa Is WeTransfer safe? * Privacy basics Is WeTransfer safe? WeTransfer is a popular service used by millions worldwide to send large files. You may have wondered if it's safe or whether you should use it to share sensitive files. We answer these questions below and present a WeTransfer alternative that may su Proton Proton - Privacy by default * Twitter(new window) * Reddit(new window) * Instagram(new window) * Facebook(new window) * Linkedin(new window) * Mastodon(new window) * Rss * Youtube(new window) * Products * Products + Proton Mail + Proton Calendar + Proton Drive + Proton VPN(new window) + Proton Pass + Proton for Business * Privacy and community * Privacy and community + Password generator + Tor + Switch to Proton + Community + Open source + Pricing * Company * Company + About us + Team + Impact + Careers We're hiring + Shop(new window) * Connect * Connect + Blog + Help and support + Partners and affiliates + Press and media + Contact us --------------------------------------------------------------------- Proton AG Route de la Galaise 32 1228 Plan-les-Ouates Geneva, Switzerland Built with support from Swiss Confederation Flag Schweizerische Eidgenossenschaft Confederation Suisse Confederazione Svizzera Confederaziun Svizra Swiss Confederation Innosuisse - Swiss Innovation Agency European Flag This project is supported by the European Union's Horizon 2020 program (Grant No 848554) * System status(new window) * Report abuse * Report a problem * Report a security issue * Request a feature(new window) * Privacy policy * Terms & conditions * Transparency report * (c) 2024 Proton AG. All rights reserved.