Recorded Future, a “real-time threat intelligence company” backed by the CIA’s venture capital wing, found login credentials for 47 government agencies across 89 different domains.
The Department of Energy, and the Department of Homeland Security were among the agencies with the most domains carrying leaked credentials, both these departments do not require two-factor authorization.
A lack two-factor authorization has been cited as a factor in the recent hacking into the Office of Personnel Management. As of February 2015, 12 federal agencies do not require two-factor authorization. (RELATED: The OPM Hack Was Much Bigger Than Everyone Thought)
The stolen passwords were frequently posted on “paste” sites, such as pastebin.com. These sites allow for users to share and store plain text.
The report released by Recorded Future states that, “In many cases, our research identified the immediate removal of the credentials by sites such as pastebin.com. However, to Recorded Future’s knowledge, no efforts are made to contact government agencies whose credentials may be posted on a paste site. Further, while the information may be removed from a paste site, it likely still circulates in private circles and is available to the original attackers.”
Many of the passwords were stolen through employees using third-party sites, this process is shown below.
Recorded Future found that,” Often, and in a large majority of the exposed credentials, passwords were “weak” and lacked complexity making it trivial for cyber criminals to decode their hashes using lookup tables and easily obtainable password cracking tools.”
Around half of Americans use the same user/password combination across multiple sites, making it easy for a hacker to use the stolen credentials to gain access to an employer’s network.