It’s no surprise that careless government employees use their .gov email addresses to sign up for all sorts of personal accounts. But when those insecure third party services are breached by hackers—and if those employees were foolish enough to reuse their .gov passwords, too—that carelessness can offer a dead-simple backdoor into federal agencies, with none of the usual “sophisticated Chinese attackers” required.
The security intelligence firm Recorded Future on Wednesday released a report that details its scouring of online email addresses and passwords revealed when hacker groups breach third party websites and dump their booty on the web. Searching through those user data dumps from November 2013 to November 2014 on public websites like Pastebin—not even on dark web sites or private forums—Recorded Future found 224 government staffers’ data from 12 federal agencies that don’t consistently use two-factor authentication to protect their basic user access
The security intelligence firm Recorded Future on Wednesday released a report that details its scouring of online email addresses and passwords revealed when hacker groups breach third party websites and dump their booty on the web. Searching through those user data dumps from November 2013 to November 2014 on public websites like Pastebin—not even on dark web sites or private forums—Recorded Future found 224 government staffers’ data from 12 federal agencies that don’t consistently use two-factor authentication to protect their basic user access
