Security experts have repeated warnings not to use work email addresses to sign-up to third-party sites, after finding that thousands of US Congress staffers could be exposed to account hijacking and phishing.
Secure mail provider Proton teamed up with Constella Intelligence to search on the dark web for over 16,000 publicly available email addresses associated with congressional staff.
It found that 3191 staff had their emails leaked to the dark web after third-party data breaches, with 1848 of these listed alongside plaintext passwords. A larger number (2975) had passwords exposed, although they weren’t stored in plaintext for all to see.
“The fact that these emails, which are publicly available on government websites, are on the dark web isn’t a security failure by itself,” argued Proton in a blog post.
“Instead, it shows that politicians and staffers used their official email addresses to set up accounts on third-party websites (which were later hacked or suffered a breach), putting themselves and the information they’re entrusted to keep safe needlessly at risk.”
However, the share of US political email addresses exposed on the dark web (20%) pales in comparison to that of British MPs (68%) and members of the European Parliament (44%), which the researchers discovered in an earlier iteration of the study.
Yet the US findings are arguably more critical, given the upcoming election.
“We’ve seen the havoc that a single compromised email account can wreak. During the 2016 US presidential election, Hillary Clinton’s chief of staff famously fell for a phishing attack and had his emails exposed, revealing embarrassing messages and providing fodder for all manner of speculation,” said Proton.
“Imagine the chaos attackers could create if they were able to gain access to a fraction of these politicians’ and staffers’ official email accounts.”
Advice for Politicos
Proton recommended that politicians and staffers:
- Avoid using work emails to sign-up to third-party services
- Use password managers for strong and unique credentials, and use hide-my-email aliases to mask real email accounts
- Sign up to dark web monitoring services, which will raise an alert if they find leaked information
“In today’s digital landscape, robust cybersecurity practices are crucial, especially for those with access to sensitive information,” said Proton head of account security, Eamonn Maguire.
“The volume of exposed accounts among US political staffers is alarming, and the potential consequences of compromised accounts could be severe. Vigilance and strict security measures are essential to safeguard personal and national security.”