CIA-backed company Recorded Future says that stolen government log-ins are cropping up all over the web, with possible exposures of login credentials for 47 United States government agencies across 89 unique domains.
The company’s Web Intelligence Engine has found that as of early 2015, 12 of these agencies, including the Departments of State and Energy, allowed some of their users access to computer networks with no form of two-factor authentication.
Needless to say, the presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks and tailored spear-phishing attacks against their workforce.
The fundamental problem here is government employees are using a combination of their email and a weak password for login credentials. Hackers are finding the former and breaking the latter. That’s why that all it takes is one successful phishing email to compromise an organization.
“There are massive amounts of information available on the Internet from various data breaches, and these data allow attackers to easily identify and correlate a variety of personal information,” Ken Westin, senior security analyst at Tripwire, told Infosecurity. “Personal email addresses, social media accounts and other data may also be available, as well as work email and login credentials from other breaches.”
Pastebin searches bring up a number of compromised accounts from recent breaches, but it's likely these credentials are no longer valid. However, many threat actors have sophisticated abilities that correlate personal data from a variety of sources, including Pastebin and other similar sites.
“While an email address is certainly not a secret, the wide distribution of employee email addresses certainly makes the criminals' jobs a little easier,” said Tim Erlin, director of IT security and risk strategy at Tripwire. “Reuse of passwords can be a huge problem for anyone, but for a government employee, the consequences might have national security implications. All organizations should be employing strong authentication to mitigate this threat.”
Igor Baikalov, chief scientist at Securonix, added that this situation shouldn’t be surprising.
“Yes, there are millions of user credentials posted on the Web, and hundreds of millions more available for sale,” he said. “You don't really need CIA-backed technology to scan those for .gov emails, and you most likely will find a lot more than a few hundred of them.”
He added, “In fact, security-conscious companies have been doing just that for years: scanning every known dump site for their employees' credentials (based on work email) and other company data (credit card or account numbers) that might be posted up for sale.”