Blame shoddy security for UK parliament hack, says report

Without two-factor authentication, there was nothing stopping hackers from using stolen passwords.
Written by Zack Whittaker, Contributor

(Image: file photo)

A "sustained and determined" cyberattack on UK parliament's systems likely wasn't a nation state attacker as first thought.

Last week's attack saw 90 accounts compromised in the attack, or about 1 percent of the total users on the hosted Microsoft platform. Accounts were compromised "as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service," said a parliamentary spokesperson at the time.

According to a Reuters report Thursday, investigators found that the hackers only gained access to the accounts of lawmakers with "primitive and easily discovered passwords."

This attack was likely "skiddies arsing around," said Alan Woodward, a professor at the University of Surrey, in a tweet, referring to "script kiddies," who use primitive hacking techniques, such as using brute-force login attempts from a list of previously stolen passwords.

It's a common sight nowadays. Low-level attackers are using stolen login passwords from other services to log into other accounts with the same password -- a password reuse attack. Attackers are often stumped by an additional layer of security, like two-factor authentication.

Not all parliamentary systems or accounts used two-factor authentication at the time of the attack.

One parliamentary source, who did not want to be named, described logging into parliamentary systems, including email, with just a username and password.

Without two-factor authentication in place at the time, parliamentary officials had to fend off more than 48,000 attempts to break into the network in a single hour, said Rob Grieg, director of the Parliamentary Digital Service, in a blog post.

Grieg said that "some email data has been taken" in the attack.

"At no time did the systems on the Parliamentary estate go offline and our objective was achieved," said Grieg. "A lesser response would have resulted in a total loss."

Editorial standards