One of the more alarming security news stories from this week was that there are a whole heap of leaked government credentials out there on the public web. The security firm Recorded Future trawled through a bunch of typical sites used to dump compromised data and found “login credentials belonging to 47 United States government agencies” which on the surface of it, sounds alarming. At least it would be if it wasn’t already such a common occurrence.
In maintaining the online data breach search tool known as Have I been pwned?, I come across an awful lot of compromised data out there on the public web and an alarming proportion of it belongs to people with .gov email addresses. This is not necessarily breached government websites, rather people signing up to services using their government email then leaking all sorts of information once those services are compromised.
A perfect example of this is the hundreds of .gov email addresses in the Adult Friend Finder data breach. This is an enormously sensitive set of data by virtue of the site’s intent (it’s for seeking out hook-up sex) and here we have a veritable treasure trove of government employees appearing in the dump. This includes email addresses from U.S. departments such as Homeland Security and the FAA as well as governments from around the world including Brazil, South Africa and yes, even Australia. In fact in Australia’s case, there are 4 accounts using their Department of Defence email addresses in combination with usernames such as “Ibizadaypartyboy”, “needitalways6”, “marriedndeprivd4” and another one not really suitable for publication here.
Or take the big Adobe data breach of 2013. Whilst the 152 million records disclosed there may not have been as personally sensitive as the Adult Friend Finder breach, the quarter million .gov email addresses in there disclose some very juicy info to would-be attackers. One of the big problems with the Adobe dump was plain text password hints that all but disclose the user’s credentials. For example, hints on government records such as “Where you were born?”, “independence year” and “surname” next to an email address with a firstname.surname pattern. There are also a large number of hints such as “Standard internet password” and “The usual password” which almost certainly illustrate poor password practices used by government employees.
The real concern with leaks of this nature is the leverage it gives attackers over the victim, either in terms of exploiting their other accounts or socially engineering them. Credential reuse on government assets is an obvious risk and resources such as data breaches are a natural starting point for an attacker. The social engineering side poses a raft of other risks though. For one, leaked personal information may be leveraged by an attacker to create an air of authenticity in a phishing campaign. A more sinister approach may be to use information which suggests infidelity as per the defence.gov.au example to blackmail the target into disclosing sensitive government information.
The mind boggles at the sorts of resources government employees willing share their personally identifiable information with. Far from being a newly discovered risk, it’s a well-established one that has spread itself far and wide across the web.