Passwords belonging to British cabinet ministers, ambassadors and senior police officers have been traded online by Russian hackers, an investigation by The Times has found.
Email addresses and passwords used by Justine Greening, the education secretary, and Greg Clark, the business secretary, are among stolen credentials of tens of thousands of government officials that were sold or bartered on Russian-speaking hacking sites. They were later made freely available.
Two huge lists of stolen data reveal private log-in details of 1,000 British MPs and parliamentary staff, 7,000 police employees and more than 1,000 Foreign Office officials, an analysis shows — including the department’s own head of IT.
The National Cyber Security Centre (NCSC), which was set up to protect the country against cyberattacks, said last night that it would reissue guidance to government departments after being presented with the findings.
The lists combine hacked data from websites including LinkedIn, the business networking service that was compromised in 2012, MySpace, the social media site, and dozens of smaller entities. They include passwords used by the former ambassador to Israel and the director-general of the Department for Exiting the European Union.
Advertisement
Security experts warned that hackers could use the data to penetrate government accounts, especially if officials had the same password across the internet. Victims could also be vulnerable to blackmail or impersonation if the passwords were used to obtain embarrassing information from personal email accounts or social media profiles.
“If these people used the same credentials . . . elsewhere — potentially on government systems — that’s not good,” Rob Pritchard, a cybersecurity specialist at the Royal United Services Institute, said.
“Despite official guidance advising the use of strong passwords to guard against hacking, the leak shows that many would have been easy to guess
One of the lists first appeared on a private, Russian-speaking hacking forum, suggesting that criminals within the country may have been involved in its creation. Western governments have raised repeated concerns about Russian hacking, including alleged attempts to influence last year’s US presidential election by penetrating Democratic Party computer systems.
Despite official guidance advising the use of strong passwords to guard against hacking, the leak shows that many would have been easy to guess. One senior politician used the name of their home county followed by a number. Another used a relative’s surname.
Peter Jones, the Foreign Office’s chief operating officer, who has overall responsibility for IT, appears to have used a highly insecure password which occurred more than 3,700 times in one of the lists.
Advertisement
The lists contain more than 7,000 police passwords, including that of former Detective Chief Inspector Andy Redwood, who led the investigation into the disappearance of Madeleine McCann. The three most common passwords associated with police email addresses in one of the lists were “police”, “password” and “police1”.
A number of victims of the hacking, including the former Cabinet Office minister Brooks Newmark, re-used insecure passwords on multiple websites.
Mr Newmark, who served in David Cameron’s coalition government, confirmed that he used a specific term “for quite a while as my password, including as my parliamentary one”. Despite parliamentary rules requiring passwords to be changed regularly, he simply added a number to the end of his existing password each time it needed changing.
The system governing parliamentary passwords appears to go against advice by the NCSC, which says that “regular password changing harms rather than improves security”, as users are “likely to choose new passwords that are only minor variations of the old”. This compromises security because hackers can trawl common variations, such as substituting a “5” for an “S”, automatically.
The centre also says that users should “never re-use passwords between work and home” and warned last year about the threat from hackers “compromising databases containing large numbers of user passwords”.
“Most of the leaked credentials come from well-publicised attacks such as a 2012 hack on LinkedIn
Advertisement
Mr Newmark, who now researches cybersecurity issues at Oxford University, resigned as minister for civil society in 2014 after exchanging explicit messages with an undercover reporter from the Sunday Mirror on Twitter and WhatsApp. He said: “There’s hacks going on all the time . . . we’re incredibly vulnerable.”
Most of the leaked credentials come from well-publicised attacks such as a 2012 hack on LinkedIn, but the lists also include material previously unknown to security experts. Some of the passwords — including those attributed to Ms Greening and Mr Clark — may be a decade old. Ms Greening and Mr Clark did not respond to requests for comment or to confirm whether the passwords were correct or still in use.
Troy Hunt, who runs a website that allows users to check whether their credentials have been compromised, found more than 100 million new records in the database. Hackers use the lists to perform “credential-stuffing” attacks, exploiting re-used passwords to take over email accounts and social media profiles.
One of the lists was linked to hacking software developed by a Russian cybercriminal. Responding this month to claims of hacking related to the US election, President Putin said that if hackers are “feeling patriotic they will start contributing . . . to the justified fight against those speaking ill of Russia”.
Mr Jones and Mr Redwood declined to comment.