A report from a Boston-based startup shows that stolen emails and passwords belonging to representatives of 47 government agencies are floating around online. The finding highlights the danger of poorly secured federal networks in the wake of the hack of the U.S. Office of Personnel Management, currently under congressional investigation.
The report was based on a scan done by Recorded Future between November 2013 and November 2014 of 17 "paste sites," where hackers often share credentials stolen from third-party sites, such as store rewards programs or travel sites. The scan identified 705 email address-and-password combinations traceable to government employees.
Given that by some estimates as many as 50 percent of people reuse passwords on multiple sites (an unfortunate trend brought to the fore earlier this week in the hack of the Houston Astros baseball team), hackers could use so-called brute force techniques to try the stolen logins on and potentially gain access to government networks.
"The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce," the report said.
Scott Donnelly, a senior analyst at Recorded Future, said the company had reached out to the various government agencies implicated in the findings at the end of 2014 and beginning of this year, but was met with silence. They decided to release the report Wednesday on the heels of a February Office of Management and Budget report that 12 agencies do not require two-factor authentication for even their most privileged users.
All 12 were among the 47 agencies identified by Recorded Future. They were the General Services Administration, USAID, and the departments of State, Veterans Affairs, Agriculture, Housing and Urban Development, Transportation, Treasury, Health and Human Services, Energy, Interior and Homeland Security.
"These are agencies that are really lagging behind in two-factor authentication," Donnelly told CBS News.
"There are agencies that have better two-factor authentication," he continued, meaning that in order to log in to those networks, an individual needs a username, a password and an additional piece of information, such as a randomly generated numeric code. "If you have it, then the logins (found online) are useless."
Donnelly emphasized that while the lack of security underscores the possible dangers of the OPM hack that released personal information of millions of current and former government employees, it was in no way connected to that attack.
"This data is absolutely not from the OPM breach," he said.