Stolen US government passwords leaked across Web

Login credentials and passwords belonging to the majority of federal agencies have been leaked online.
Written by Charlie Osborne, Contributing Writer

A CIA-backed startup has discovered login credentials and passwords for 47 US government agencies littered across the Internet -- leaving federal agencies potentially at risk of cyberattack.

Recorded Future, a Boston-based data mining firm backed by the CIA's venture capital arm, said in a research report that credentials belonging to 47 US government agencies have been found across 89 unique domains.

Two-factor authentication is an option offered by various online services, including Facebook, Gmail and PayPal, to heighten individual security and provide a second layer of defense. As passwords are far from the most secure way to protect and authenticate an account, if credentials are stolen, two-factor authentication -- such as linking a mobile phone to your account -- can be used to prevent unauthorized entry.

However, as of early 2015, 12 of the US agencies -- including the Departments of State and Energy -- which have lost credentials online do not stipulate the use of two-factor authentication when users access their systems. As credentials have been leaked, this leaves these departments open to unauthorized access.

"The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce," Recorded Future says.

The startup used the Recorded Future Web Intelligence Engine, an "analytics" engine designed to seek out "invisible links" between content streams which talk about "the same, or related, entities and events." The engine scanned over 680,000 Web sources in multiple languages, linking together contextual data and sources in order to ferry out the credentials belonging to governmental bodies.

Many of the credentials were discovered on paste sites including Pastebin after being stolen using third-party services. The report states:

"In many cases, our research identified the immediate removal of the credentials by sites such as pastebin.com.
However, to Recorded Future's knowledge, no efforts are made to contact government agencies whose credentials may be posted on a paste site. Further, while the information may be removed from a paste site, it likely still circulates in private circles and is available to the original attackers."

The public release of the report may push government agencies to take department security more seriously. The US may heavily invest in spying programs through the National Security Agency, but it seems like the basics of security have yet to be grasped -- and as a case, departments unrelated to the NSA may find themselves the target of surveillance by other parties.

ZDNet has reached out to the CIA and will update if we hear back.

10 steps to erase your digital footprint

Read on: Top picks

Editorial standards