Credentials stolen in breaches and sundry hacks belonging to close to 100 unique U.S. government domains are scattered among a number of paste sites and are searchable in other locations online.
Analysts at Recorded Future said on Wednesday that through open source intelligence gathering and analysis, they found either clear text or hashed email-password combinations belonging to individuals at 47 agencies. The credentials were found mostly on 17 different paste sites, including Pastebin, and were posted there between November 2013 and November 2014.
All of the affected agencies were informed, Recorded Future said. The lengthy exposure of the credentials—most of which afforded access to non-classified networks—put government employees and agencies at risk for a number of attacks ranging from identity theft to social engineering, phishing, and espionage.
Recorded Future, which is partly funded by the CIA’s venture arm In-Q-Tel, singled out a Dirty Dozen list of agencies that allowed users access to online resources without requiring two-factor authentication. Nine Department of Energy domains and seven belonging to the Commerce Department, for example, were affected—by far the two most exposed agencies. The other agencies are: General Services Administration, USAID, State Department, Veterans Affairs, Agriculture, Housing and Urban Development, Transportation, Treasury, Health and Human Services, Energy, Interior and Homeland Security. None of the aforementioned agencies required a second factor of authentication, even for its most privileged users, according to a February report to Congress from the Office of Management and Budget.
Recorded Future said it found paired email-password combinations for all 12 agencies.
“The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce,” Recorded Future said in its report, “Government Credentials on the Web.” “While some agencies employ VPNs, two-factor authentication, and other tokens to provide a safety net, many agencies lag behind as cited by the OMB report to Congress.”
While Recorded Future’s analysis took place prior to the recently disclosed Office of Personnel Management (OPM) hack during which millions of federal employees’ personal records, background checks and security clearance applications were accessed, a number of OPM credentials were also found in the clear on a number of paste sites.
Most of the paste sites removed the stolen credentials once they were informed, Recorded Future said, but added that the government agencies were not informed of the exposed passwords or hashes.
“While the information may be removed from a paste site, it likely still circulates in private circles and is available to the original attackers,” Recorded Future said. “Due to the lack of context with most publicly announced data exfiltration, it’s unclear when specific attacks occurred or if the original attacker had attempted to leverage any stolen information.”
Since most of the stolen credentials were pilfered in hacks or breaches of third-party sites popped in drive-by download attacks, for example, the exposures highlight the problem of password re-use. For example, many of the government employees were using government domain accounts to register for third-party services that had been attacked. Exacerbating the problem is that not only were the passwords re-used over and over, but lacked complexity making them easy to crack with a lookup table or password cracker.
“If a third-party website’s username/password database is hacked and the employee used the same login credentials on that website as at work, those credentials could allow unauthorized access to the employer’s network,” the report said.