Login credentials for websites linked to nearly 50 government agencies have been found scattered across the Internet, according to a new report from Recorded Future.
The credentials — usually consisting of a government email account linked to a password — showed up on numerous public so-called paste sites, such as Pastebin, according to the findings from the threat intelligence company.
The company said those sites tend to be a dumping ground for passwords acquired through various cyber attacks.
{mosads}More worrisome, according to the report, is that some of the government agencies did not require two-factor verification, which would make the credentials much more valuable.
“The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce,” according to the report.
The analysis was conducted between November 2013 and November 2014. During that time, the Department of Energy had the most exposure, followed by the Commerce Department, Interior, Heath and Human Services, Homeland Security, Justice and Treasury.
Of those, only the Commerce and Justice Departments had two-step verification at the time.
The company said many times the credentials were removed quickly, and it contacted the government about its findings.
“However, many credentials with easily discoverable logins remain posted to social media, forums and paste sites,” according to the report. “While Pastebin.com attempts to monitor its content, many similar paste sites do not, and we refrain from highlighting them in this document.”
The report said that while some of the passwords appeared to come from a targeted attack, most others were swept up in an attack on a third party. This can happen when government employees use their work email to register for an outside web service.
The report recommends government agencies require multi-factor verification and the use of virtual private networks. It also called for employees to create strong passwords and change them regularly and define when it is acceptable to use government email addresses on third-party sites, among other recommendations.
Recorded Future is a company founded in 2009 and has received start-up funding from Google Ventures and In-Q-Tel, which is backed by the U.S. Intelligence Community.