In the wake of several government cyber attacks in recent months comes yet another troubling discovery this month—the logins and passwords for more than 200 government employees across nearly 50 different agencies, allegedly posted online by hackers.
Several news outlets are reporting that a CIA-backed cyber intelligence firm called Recorded Future performed a comprehensive sweep of 17 "paste sites" recently — Web applications that allow people to store and share data in text form online — and discovered credentials such as logins and passwords for 224 ".gov" email addresses, belonging to staffers across 47 different government agencies.
These paste sites, such as Pastebin.com, are not even "deep Web" sites, but open, public sites where people regularly share information, says WIRED Magazine, leaving government officials and cyber experts very concerned.
“The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce," Recorded Future representatives said in their report.
According to Recorded Future's report, as explained by an article in NewsFactor, the credentials were dumped by hackers on 17 different paste sites between November, 2013 and November, 2014. The credentials appear to be from 89 different government domains.
According to NewsFactor, the Department of Energy had the widest exposure, with email and password combinations for nine different domains posted on the Web, followed by the Department of Commerce, with seven.
Cyber experts at Recorded Future are blaming a lack of two-factor authentication for how easily the government credentials were breached.
“While some agencies employ VPNs, two-factor authentication, and other tokens to provide a safety net, many agencies lag behind,” the firm's report said, pointing to a February Office of Management and Budget report to Congress which called attention to 12 agencies that “do not require most privileged users to log in with any form of two-factor authentication," reports SC Magazine.
The firm did not disclose the specific domains that were breached, out of further safety concerns, but did say that users on several of the paste sites that featured the breached credentials claimed affiliation with known hacker groups such as Anonymous and LulzSec, according to SC Magazine.
Ken Westin, a senior security analyst at TripWire, told Newsfactor that in most cases, personal information such as credentials, logins and passwords from data breaches found on paste sites like Pastebin are no longer valid, as their owners change them once the breach is discovered. However, he said that motivated criminals like to monitor such sites in real-time so they can pounce on new credentials immediately upon posting, and do their damage with them.
What can companies and government agencies do to combat this type of threat? Brad Taylor, CEO of the cloud-based security firm Proficio, told NewsFactor that the problem is often that employees use a combination of their email addresses as their logins, paired with weak passwords. It's all too easy for a hacker to get a hold of one's email address and then easily crack a weak password, he explained.
Therefore, Taylor recommends companies and agencies adopt two-factor authentication whenever possible, and recommends employees come up with more complex login-password combinations, and change them regularly.