News
Security and Privacy

Email Insecurity

Sketchy cyber policies and practices have some staffers reusing the same password across multiple business and personal accounts, which increases the risks associated with compromised information.

Posted
U.S. Capitol building seen through a pair of open doors

Big elections raise the visibility and scrutiny of political cyber events. Alleged breaches of Hillary Clinton’s private email server and actual hacks of Democratic National Committee (DNC) emails made headlines in the 2016 election cycle. This Presidential election season, official U.S. Capitol email addresses, passwords, and PII are exposed on dark web markets. The potential results are alarming.

The official email addresses of 3,191 congressional aides/staffers have appeared on the dark web, according to a Proton and Constella Intelligence report first published in May 2024. These were official work email addresses. Some 1,848 of these addresses were listed with plaintext passwords. The data came from third-party breaches of social media and other sites. A small number of accounts were from dating and adult sites.

According to Alberto Casares, chief technology officer of Constella Intelligence, an identity intelligence company, information on affected Capitol members has been found in approximately more than ~200 different data breaches and several infostealers. An infostealer is a kind of malware used in phishing and malicious download and drive-by attacks.

Weak security policies, practices, and procedures

Written security policies, practices, and procedures for Capitol aid/staffer email accounts are not apparent if those even exist. There is, however, evidence of lax cybersecurity training and secure systems.

“The staff in legislative offices are generally young recent college graduates who have not received formal training in cybersecurity and the safe handling of electronic data,” said Philip Lieberman, who is heavily involved in politics as a high-level campaign donor and has worked extensively with Congress on matters of national security. Lieberman created the former Lieberman Software, a multi-national cybersecurity, IT management, and cyberwarfare company, now part of BeyondTrust.

“Legislative office systems are consumer-grade, and there is little budget or expertise in device management and identity management within the organization,” said Lieberman.

Likely password reuse

“For staffers, the choice of password is up to them. It is easiest to use one password for all personal and business cases, and that is the path most people choose,” said Lieberman.

Aides or staffers registering official email addresses and passwords on vulnerable third-party sites put those credentials at risk. Cybercriminals can use those to gain unauthorized access to any account or system that uses the same password, including Capitol accounts.

“During the analysis, we identified the reuse of passwords by the analyzed users,” said Casares. Constella Intelligence analyzed the email addresses and sensitive data of U.S. Capitol staffers that had been breached.  

“By analyzing the compromised data, our system automatically detected instances where the same passwords were used across multiple accounts and services,” said Casares. “We can see where a single password has been reused across different platforms, increasing the risk of broader compromise,” he said. While not every affected staffer reused passwords, some did, according to Casares.

The frequent reuse of passwords is a common trend in data exposures, said Casares; individuals often reuse the same credentials across multiple sites. 

For example, in a separate incident, the most commonly reused password at the U.S. Department of the Interior (Password-1234) was used in 478 unique active accounts, according to a 2023 report from the Department’s Office of Inspector General.

Security holes permit password reuse

“There is no cross-checking of common passwords between systems. Most organizations don’t subscribe to a service to check whether their passwords are compromised and available on the dark web,” said Lieberman.

Poor password hygiene means users don’t change their passwords. People share them with friends and co-workers, circulating them broadly. It’s part of why passwords and password databases stolen today are valuable years later.

How Constellation Intelligence found the data

Cybercriminals typically breach social media, dating, and adult sites by exploiting software vulnerabilities, misconfigurations, and unintentional data exposures and using malware, especially infostealers, according to Casares.

“Constella Intelligence identifies compromised data across the Internet, including the deep and dark web, using cutting-edge A.I. technologies and more than fifteen years of expertise from its subject matter experts,” said Casares. He added that Constella monitors not only data breaches, but also infostealers.

“As a result of our analysis, we discovered that some of the profiles we examined were specifically infected by infostealer malware. This led to the exposure of their official email addresses, among many other sensitive personal data,” said Casares.  

Social, dating, and adult sites

The Report specifies LinkedIn, Facebook, and Twitter as breached sites containing the Capitol staffers’ data. Some 1,487 Capitol aides’ LinkedIn accounts were exposed; 416 of their Facebook accounts and 347 of their Twitter profiles were also breached, according to the Proton/Constella report. The Report did not specifically name other sites tied to Capitol aides and staffers.

Beyond that, Casares said it’s reasonable to assume the sites include adult, dating, and sensitive content platforms that have been publicly reported in recent years.

Personal and Capitol data at risk

Personally Identifiable Information (PII) is the data most at risk, said Casares. PII is any information someone could use to identify a specific person. For some staffers, multiple exposed attributes were found, including Social Security numbers, dates of birth, and home addresses, said Casares.

Bad actors trade in PII on the dark web and build detailed profiles of millions of people. The more robust the profile, the greater the risk of identity theft—posing as the user to gain access to systems and accounts and commit acts of fraud. Fraud examples include extortion and opening financial accounts in the user’s name.

“With leaked passwords, attackers could use credential stuffing to access official accounts,” said John Price, chief executive officer of SubRosa, a cybersecurity and risk advisory firm, and emeritus counterintelligence and security consultant for the U.K. Ministry of Defense. “Bad actors could impersonate staffers, steal confidential documents, or plant malware for long-term surveillance of Capitol networks,” he said.

In credential stuffing attacks, attackers use malicious bots—Internet robots—to enter credentials, such as usernames and passwords, into many login screens rapidly to find the ones that unlock access.

Cybercriminals can target control of the staffers’ official email accounts. “Once you have access to their email, the entire inbox, and the file structure of an email account, exporting that information is easy to do quite quickly,” said Price.

With access to Capitol email accounts, attackers could read, intercept, and fake email communications. According to Price, attackers could access classified information if the staffers were transmitting data that was not within the specified classification level.

No change since the breaches

According to Lieberman, there is no enforcement power at the Federal level regarding Congressional restrictions on staffers’/aides’ using social or adult sites with emails or passwords they use professionally or otherwise.

“Civilian and defense agencies that lawmakers regulate have been utilizing strong authentication for at least 20 years. Lawmakers should consider using defense or well-known cybersecurity contractors to manage their identities and provide password management with password rotation,” said Lieberman. “Like everything in Washington, DC, it is about money and power. Legislators need to fund better IT services, training, and security for their own use,” said Lieberman.

David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More